Solved

VPN using Comcast business w/ Cisco ASA and 2821

Posted on 2008-06-16
4
1,176 Views
Last Modified: 2013-11-16
Just need some quick confirmation that a proposed solution makes sense.  I'm looking to set up static vpns between three sites, and also provide internet access to all staff at the three sites.  There's a main office that currently has about 300 users, and several servers that need public IPs (mail, web, etc) as well as some servers that *don't* need public IPs (Windows fileservers, mostly).  I'll call this site "HQ"  HQ currently uses a Cisco 2821 with the advanced security bundle, including the VPN bundle.  Users authenticate against Windows AD for remote access to the internal HQ file servers; works beautifully.  

There are two other remote sites due for some changes.  HQ currently connects to a branch office ("Branch1")  over a leased line.  Branch1 has a maximum of 100 users or so, needs basic internet access for users, and the ability to access servers at HQ and its own fileservers remotely over a VPN.  Orders have come down to move to a less expensive alternative than the leased line,  There is a strong push to move Branch1 onto a  Comcast cable connection, together with HQ.  Similarly, there's a very small Branch2 office, with no servers, but on days when one or two staff are visiting that location, they will need VPN access to the servers and both other sites and full NAT'd internet access.  

I'd like confirmation that I can set up a static VPN between the 2821 router at HQ and both branch offices if I purchase Cisco ASA 5505's  with the advanced security bundle for those locations.  There is a strong push to do it over Comcast business connections, so we can have a public IP (or 3 or 4) at each site, if necessary).  

I believe we'll need two of Cisco part number  CIS-ASA5505-SEC-BUN-K9,  which provides "unlimited" connections.  I would like to continue authenticating against our Active Directory domain server.  I'm planning to configure the external ethernet port on the router or ASA to respond to the public IP addresses provided by Comcast.  

Can a Cisco guru confirm this is a sensible approach?  Am I overlooking anything major? Is the 5505 too wimpy for this many connections/users?  Want to keep the 2821 in use, since it's  been such a tank for us so far.  Thanks.  
0
Comment
Question by:illbydes
  • 2
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
mabutterfield earned 500 total points
ID: 21795584
I don't think you would need the security Plus bundle.  

So, I would get ASA5505-UL-BUN-K9 for branch1 and ASA5505-BUN-K9 (10 users) for branch2.  The only reason to get the plus license is for HA, additional VPN peers, or VLAN trunking.  

The 5505 is rated for 150mbps throughput, and 100mbps VPN throughput, which is far beyond what the Comcast cable will support.  

You'll only need 2 IPSEC vpn peers, and the base license comes with 10.  

The 2821 is a beefy machine and should handle it fine.  

My only concerns would be, if you are trying to do something more with the equipment, such as IDS, VoIP, or something else.  If that's the case, you may want to consider a different product for the branch offices.  

0
 

Author Comment

by:illbydes
ID: 21813613
Thanks.  It'd be good to save some $ if possible.   The  Cisco licensing  never fails to confuse me.  For instance,  we won't have a lot of simultaneous VPN use (should always be under the 25 clients we have with the 2821 bundle)  So, as long as we don't exceed the number of licenses at any one time, we're ok, yes?    

Also if someone logs on to HQ over an IPSEC VPN client, and gains access to Branch1 over the static VPN, does this increase the VPN user count on the branch1 appliance?  Or does it only affect the device on which they established the connecxtion,  the 2821 router?  
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21816220
I'm not 100% sure about the first part of that.  I think it's 25 simultaneous vpn connections, but I'm not certain.  That's the way I treat it though.

If someone is using a client VPN to connect to the 2821, that uses 1 peer license for the 2821. The site-to-site VPN between the 2821 and each of the branch sites use 1 peer license each, no matter how much traffic goes through it.   So, with 2 branch offices, you can have 23 clients connected to the 2821, and they can go ANYWHERE in the all of the networks (assuming that's how you setup your acl's and routing).  Each branch needs 1 vpn (or 2 if you connect the two branches together)

It would only increase the vpn license count on the branch asa if the user connected DIRECTLY to the branch location via a client VPN.

0
 

Author Closing Comment

by:illbydes
ID: 31467631
Thanks, esp. for reassurance about not needing the security plus bundle.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move configuration from Cisco 3560 to 3750X 6 42
Packet Tracer Router to Router 10 61
ACL Logging Optimization 7 30
CISCO Smartnet agreement 5 8
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now