topic Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall in Firewall and Security Management

Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Mon, 22 Apr 2024 19:58:42 GMT

I am planning to deploy a Site-to-Site VPN connection between a 6500 appliance in our central office and a 1575 SMB firewall at a branch office. The primary function of the branch office firewall is to establish the VPN tunnel.

Are there any specific considerations I need to be aware of when configuring a Site-to-Site VPN between these two firewall models?

I would appreciate any relevant guides or best practices documents that can assist us with this deployment.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

the_rock — Mon, 22 Apr 2024 22:14:12 GMT

Hey bro,

Nothing special really. I had even seen people do it as permanent tunnel (per gateway option) and works fine.

Andy

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

CaseyB — Tue, 23 Apr 2024 14:46:05 GMT

If we are making the following assumptions:

Both firewalls are directly connected to the Internet.
Both firewalls are using static addresses.
No overlapping subnets.

Then as @the_rock said, there shouldn't be anything special for you to do in this case. I would create a Star VPN Community with the 1575 SMB being the satellite, gateway to gateway VPN tunnel sharing, set permanent tunnels, and then choose the VPN routing option that makes sense. We like to route all Internet traffic back to HQ, but that is not everyone's preference.

If you are using the recommended method of certificates for this VPN connection, make note of when your certificates are set to expire as you want to avoid any outages that may occur with that.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Wed, 24 Apr 2024 06:41:15 GMT

I think shared secret is the way we go for this installation.

The idea is to have same VLANs behind the HQ at the branch office (not all of them only 3-4), so that the users do not feel any change!

How can that be done? I mean having the same VLANs on both sides? Should we have a switch on the branch to get the VLANs?

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

_Val_ — Wed, 24 Apr 2024 07:28:05 GMT

You can only use a shared secret if the branch GW is managed locally or by another SMS. If both the main office cluster and the branch office are managed by the same management server, you don't really need it in the first place.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Wed, 24 Apr 2024 09:39:08 GMT

You have a point there, the branch office should be added to SMS first (SIC), then a S2S should be created.

What about my question about VLANs, how to go with it?

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

the_rock — Wed, 24 Apr 2024 11:18:09 GMT

As Val said, if both are managed by same mgmt server, then just use certificates. Otherwise, PSK is fine.

Andy

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

CaseyB — Wed, 24 Apr 2024 12:46:11 GMT

Extending L2 to remote sites is not really a networking best practice. The VPN component is L3, I do not have a good answer for you.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Wed, 24 Apr 2024 13:14:33 GMT

so what is the best practice to solve that problem?

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

_Val_ — Wed, 24 Apr 2024 13:20:34 GMT

If you have overlapping IP spaces between the sites, you will need to NAT one of the locations to different IPs.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

the_rock — Wed, 24 Apr 2024 13:35:57 GMT

As Val said, you have to do NAT here, there is really no other viable option.

Andy

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

CaseyB — Thu, 25 Apr 2024 14:15:40 GMT

Generally speaking, you would want all remote sites to be L3 with their own separate networks and VLANs. You said you want the VLAN to be the same so users do not feel any change, I'm not sure how your network would be setup in a way that providing them a different IP address would change their overall experience. I know our end-users have no idea what IP they are getting and could not careless, nor do they notice a difference roaming between sites.

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Thu, 25 Apr 2024 14:27:02 GMT

Maybe i was not clear above. it is absolutely not important to have same VLANs on both sites. What is important is to have connectivity.

If VLAN 419 is on central site, no problem to create VLAN 420 on branch site (different subnet). What i need is a guide on how to do it? after the creation of a site to site VPN. So how to proceed?

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

the_rock — Thu, 25 Apr 2024 14:28:30 GMT

That should be taken care of by ensuring enc. domains include subnets for thise vlans...makes sense?

Andy

Re: Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

Moudar — Mon, 06 May 2024 09:35:22 GMT

Is using VTIs is a possible solution ?