At my job we have over 50 international sites and we use Cisco ASAs as VPN tunnel makers and nothing more. We do not use them to their full capabilities, only vpn tunnels. Do you guys have a recommendation to replace these devices with a better product? These sites do not need to talk to each other, it just needs to be a giant hub and spoke wheel network.
As others said, it depends on the requirements. Some options:
- Just routing, no fancy NGFW: Vyos with DMVPN https://docs.vyos.io/en/equuleus/configuration/vpn/dmvpn.html
- Fortigate + Fortimanager with ADVPN
- Some SDWAN solution of sorts
what is the reason for upgrading? If it is just ASA being end-of-life then I’d just get a firepower hardware and run ASA code on it since it sounds like you don’t need the NGFW functionality in this implementation
If the ASA’s are doing there job and you don’t have any other business requirements or goals you are aiming for. The most obvious choice is to just replace them without having to configure stuff.
If you need to improve security, improve performance or want to reduce the TCO this could have an impact on the equipment you are looking for.
For example I love the simplicity and effectiveness of Catonetworks. This global player makes mpls networks something from the past. Users, offices, factories or whatever are connected within minutes and with great performance.
In a datacenter or location that needs extra security with heavy internal segmentation I would still place an Enterprise Firewall. My preferences would go to FortiGate in these scenarios. But every other firewall will do. Fortinet provides an great sdwan solution and the 50 locations can easily connect with it. Fortinet is also working on a global backbone to provide great connectivity with Forti Sase.
Most network vendors are working on similar solutions to provide a better user experience. So Cisco probably provides some kind of similar product.
Last but not least, take a look at Azure Virtual Wan. Maybe you can leverage the global network of Microsoft to provide better connectivity to the 50 locations
What are your overall needs? Are you looking for a box that just does VPNs or do you want to get a better firewall that can also do VPNs?
What are your throughput requirements, security requirements, any other needs and budget?
Depends what your needs are but Meraki’s AutoVPN can perform this task and reduce the maintenance effort.
Personally those are fine just as a VPN concentrator, I’ve been at a few orgs that leveraged HA pairs as dedicated VPN appliances.
You’d spend a lot more in appliance cost, time, potential issues, cutover windows, etc to replace them with minimal benefit.
If you’re looking to change, check out Tailscale.
Have you looked into zerotier at all for a VPN solution? It’s a simple solution for this use case. Here’s an example we used for remote access vpns but the same idea can be used for connecting offices
Is this for site to site VPNs or client VPN or both? Anyconnect still seems to be the best Client VPN option I’ve come across. GlobalProtect/FortiClient just aren’t as user-friendly in my experience.
pfSense running on inexpensive NetGate boxes
Edit: Not sure why the downvotes but it would appear OP is looking to just build a Hub and Spoke VPN which one could easily roll their own using pfSense with IPSEC.
If supported consider doing vpn from your sites switches/routers. Eliminate cost and complexity. Assuming of course you’re not doing any kind of firewall/inspection.
We use routers to terminate the IPsec and let the firewalls do the nat and acl’s. I think it works better.
If you’re just doing site to site hub a fortigate 40F will easily push 1Gbs of pure ipsec. Had a 1200 branch setup with 60E and 40F’s. Probably around $400 unlicensed but lead times are 100+ days long. I’d consider licensing them though for the security features and warranty etc.
I’m going to get a lot of hate for this but we implemented FTD with FMC managing all of our sites. We did this for two reasons, we’re a cisco shop and need to use what we serve our customers, and we get 80% NFR pricing because of this.
We have had no problems since we went to FTD solution but it takes a TON of training to set them up and utilize them.
The great thing about using FMC/FTD is setting up site-to-site is so easy a monkey could do it. Easy to set up hub/spoke with little challenge.
Most firewalls seem to have mature IPSec stacks these days, so I’d say that you can’t really go wrong here.
I assume you’re talking about site-to-site VPN tunnels here? What kind of bandwidth? Are your sites doing BGP with redundant ISPs, or are you using 4G failover at many sites?
Many SDWAN vendors seem quite compelling these days for smaller branch offices. Limited but discoverable web gui configuration, with easy 4g failover where needed. Or do it yourself with a DMVPN implementation.
The reason of the upgrade and the budget are 2 important information to have to suggest a proper solution.
I keep hearing that. We have FortiGates all over the place but I’m too scared to move my users to FortiClient.
I’m in a similar situation as OP where I have a ASA5516-x just for AnyConnect, it originally was running FTD but that was a dumpster fire so I flashed it with ASA code. I did this four years ago when FTD was at it’s worst and it seemed like the ASA code was the best option for Anyconnect. Are there better ways of hosting AnyConnect now in 2022?
I think I’d say the only complaint I have with GlobalProtect is you need to be careful about which version you release to your endpoints… Don’t be a guinea pig.
FTD has matured a lot.since then. Depending on your needs, going to FTD might not be a bad idea.