From: Bill Coward (bill.coward@gmail.com)
Date: Mon Apr 16 2007 - 18:36:44 ART
Wow I can't image managing dozens of tunnels on a router...
I work for a large cable TV provider in the South... We recently migrated
from 3 3030 VPN Concentrators to a pair of ASA's (active failover) for our
vendor connectivity. The Cisco Concentrators are cool but the ASA's with the
ADSM bring the configuration Management ease to another level we have
hundreds of vendors, contractors, banks and suppliers on our ASA's using
IPSEC L2L tunnel as well as the Cisco's VPN Client.
We have CSM installed and running but are using it just for backup purposed
for now, it's seems to be particular to the version of ASA, and does not
play well with our older PIX's devices.
We also have 12 ASA's deployed in our remote markets for our Internet
Security and employee remote vpn access, we are testing the RSA key fobs
with Radius 2 factor authentication which works well and will deploy later
this summer... that's a lot of FOBS.
Overall I think the ASA's have sped up our tunnel deployment and
troubleshooting time, even though we don't use the command line (I like to
think I'm old school) but sometimes you have to go with the flow.
-my 2 cents
-Bill
On 4/16/07, Guyler, Rik <rguyler@shp-dayton.org> wrote:
>
> I'm replacing the entire edge network for my organization later this year
> and need an opinion from the group.
>
> I have several dozen IPSec VPN tunnels to vendors that terminate currently
> on a 3660 router running 12.2T code. While I love using routers for VPN
> work due to their excellent flexibility, I find that managing a large
> number
> of connections is cumbersome and awkward. The inability to nest ACLs or
> create object groups makes the config (from the CLI) just crazy to work
> around in.
>
> I do have the latest version of Cisco Security Manager but don't have it
> up
> and running yet (waiting on the server) to see just how well it can manage
> my VPN router. If it's anything like VMS was then I won't likely use it
> for
> managent.
>
> Here are my possible alternatives:
>
> 1) Stay with the plan of replacing the 3660 with a pair of 3845s running
> IPSec SSO, etc. and use CSM to manage it
>
> 2) Replacing the 3660 with a pair of ASAs instead of the 3845s and use
> CLI,
> CSM or something else to manage it
>
> Either way, I can work through the hassle of it the way it is but I have
> others on my team that are not so comfortable with the CLI so I really
> want
> to use some other type of managent interface for their benefit.
>
> Any advice or opinion on the subject greatly appreciated!
>
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:36 ART