Re: Site-to-Site VPN Deployment: 6500 Appliance to...

Moudar

Hi

I am planning to deploy a Site-to-Site VPN connection between a 6500 appliance in our central office and a 1575 SMB firewall at a branch office. The primary function of the branch office firewall is to establish the VPN tunnel.

Are there any specific considerations I need to be aware of when configuring a Site-to-Site VPN between these two firewall models?

I would appreciate any relevant guides or best practices documents that can assist us with this deployment.

the_rock

Hey bro,

Nothing special really. I had even seen people do it as permanent tunnel (per gateway option) and works fine.

Andy

CaseyB

If we are making the following assumptions:

Both firewalls are directly connected to the Internet.
Both firewalls are using static addresses.
No overlapping subnets.

Then as @the_rock said, there shouldn't be anything special for you to do in this case. I would create a Star VPN Community with the 1575 SMB being the satellite, gateway to gateway VPN tunnel sharing, set permanent tunnels, and then choose the VPN routing option that makes sense. We like to route all Internet traffic back to HQ, but that is not everyone's preference.

If you are using the recommended method of certificates for this VPN connection, make note of when your certificates are set to expire as you want to avoid any outages that may occur with that.

Moudar

Hi

I think shared secret is the way we go for this installation.

The idea is to have same VLANs behind the HQ at the branch office (not all of them only 3-4), so that the users do not feel any change!

How can that be done? I mean having the same VLANs on both sides? Should we have a switch on the branch to get the VLANs?

_Val_

You can only use a shared secret if the branch GW is managed locally or by another SMS. If both the main office cluster and the branch office are managed by the same management server, you don't really need it in the first place.

Moudar

You have a point there, the branch office should be added to SMS first (SIC), then a S2S should be created.

What about my question about VLANs, how to go with it?

the_rock

As Val said, if both are managed by same mgmt server, then just use certificates. Otherwise, PSK is fine.

Andy

CaseyB

Extending L2 to remote sites is not really a networking best practice. The VPN component is L3, I do not have a good answer for you.

Moudar

so what is the best practice to solve that problem?

_Val_

If you have overlapping IP spaces between the sites, you will need to NAT one of the locations to different IPs.

the_rock

As Val said, you have to do NAT here, there is really no other viable option.

Andy

CaseyB

Generally speaking, you would want all remote sites to be L3 with their own separate networks and VLANs. You said you want the VLAN to be the same so users do not feel any change, I'm not sure how your network would be setup in a way that providing them a different IP address would change their overall experience. I know our end-users have no idea what IP they are getting and could not careless, nor do they notice a difference roaming between sites.

Moudar

Maybe i was not clear above. it is absolutely not important to have same VLANs on both sites. What is important is to have connectivity.

If VLAN 419 is on central site, no problem to create VLAN 420 on branch site (different subnet). What i need is a guide on how to do it? after the creation of a site to site VPN. So how to proceed?

the_rock

That should be taken care of by ensuring enc. domains include subnets for thise vlans...makes sense?

Andy

Moudar

Is using VTIs is a possible solution ?

Are you a member of CheckMates?

Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall