VPN using Comcast business w/ Cisco ASA and 2821
Posted on 2008-06-16
Just need some quick confirmation that a proposed solution makes sense. I'm looking to set up static vpns between three sites, and also provide internet access to all staff at the three sites. There's a main office that currently has about 300 users, and several servers that need public IPs (mail, web, etc) as well as some servers that *don't* need public IPs (Windows fileservers, mostly). I'll call this site "HQ" HQ currently uses a Cisco 2821 with the advanced security bundle, including the VPN bundle. Users authenticate against Windows AD for remote access to the internal HQ file servers; works beautifully.
There are two other remote sites due for some changes. HQ currently connects to a branch office ("Branch1") over a leased line. Branch1 has a maximum of 100 users or so, needs basic internet access for users, and the ability to access servers at HQ and its own fileservers remotely over a VPN. Orders have come down to move to a less expensive alternative than the leased line, There is a strong push to move Branch1 onto a Comcast cable connection, together with HQ. Similarly, there's a very small Branch2 office, with no servers, but on days when one or two staff are visiting that location, they will need VPN access to the servers and both other sites and full NAT'd internet access.
I'd like confirmation that I can set up a static VPN between the 2821 router at HQ and both branch offices if I purchase Cisco ASA 5505's with the advanced security bundle for those locations. There is a strong push to do it over Comcast business connections, so we can have a public IP (or 3 or 4) at each site, if necessary).
I believe we'll need two of Cisco part number CIS-ASA5505-SEC-BUN-K9, which provides "unlimited" connections. I would like to continue authenticating against our Active Directory domain server. I'm planning to configure the external ethernet port on the router or ASA to respond to the public IP addresses provided by Comcast.
Can a Cisco guru confirm this is a sensible approach? Am I overlooking anything major? Is the 5505 too wimpy for this many connections/users? Want to keep the 2821 in use, since it's been such a tank for us so far. Thanks.