We have Cisco FPR 2140s (4 of them, 2 HA pairs, 1 pair at each data center). We are currently trying to setup ECMP but we found out that SSL cannot be enabled on interfaces that you want to participate in EMCP. Fine, we are in the process of converting them to IPsec but the implementation of IPsec RA VPN to a Cisco firepower sucks honestly. It seems it was an after thought as there has to be a local XML on every endpoint in order for the first connection to be made (after the first connection, the endpoint pulls the XML from the firewall)
We don’t think we can do this because of the mobile IoT devices that our company VPNs with. We also have some site to sites that are causing us to make VTIs and our company just keeps growing it seems and the firewalls are getting more complex with that. (sorry for the rant)
QUESTION - We are looking into getting 2 separate firewalls (1 at each data center) to handle RA VPN, site to sites and any other odds and ends. We have public IP addressing to accomplish this but I am wondering if anyone else does something similar? Breaks portions of config onto different devices just to make it more simple rather than trying to do everyone on one firewall
I can’t speak to how common it is across the board but it is a thing, especially at scale. I’ve got at least two and one “very large” clients at work that are splitting VPN functions between devices.
Yeah I’ve run both types of deployment. Currently I run separate firewalls due to performance concerns with how many users we have connecting and the throughput north/south in our data centers. It gives us a lot more room for growth and we can run decryption for all our users without impacting our data center firewall performance. It also reduces the blast radius if things go wrong with the firewalls. Depending on your design, traffic may traverse multiple firewalls so having centralized management of policies and objects will help.
I’d say do it if you can afford it. Makes management and troubleshooting easier. We run all on one ha pair. I wish a had separate devices for management and routing reasons.
I do similar. All my firewalls connect into a VRF on my core switches and advertise their routes in using bgp.
I have a pair for vpn/mpls termination and then a pair for servers/sites. Works very very well.
I actually don’t even mix S2S VPNs with SSL VPNs on the box. I have separate devices for everything.
Depends on scale of your business and it’s needs.
SSL VPN became very important to us after first wave of COVID.
It depends how many site to sites you have. If you have a bunch then it makes sense to create a separate failure domain for site to sites and RA VPN.
Though sounds like most of the issues you’re having stem not from the design but the general shitness of Cisco Firepower/ ASA platforms. They have never been a great platform for terminating site to site tunnels on. This crap wouldn’t be an issue on a Palo Alto
I’ve also done it where we needed better routing features and QoS on VPNs and the place was a Cisco house so I used an ASR1001X as a VPN concentrator and left the RA VPN on the ASAs. Security wise I just created a few VRFs for segregation and pushed it up to the perimeter firewall for filtering.
I wouldn’t mix SSL VPN with s2s as well, I would rather separate them physically or create a context (or VDOM in the Forti world), one for s2s and one for RA VPN with their own each public IP. It will be easier to manage them. But if you can afford it, get yourself separate firewalls at each site (HA pair) for the SSL VPN, and it does not need to be a big firewall with heavy specs.
We are getting rid of our VPN and moving to zero trust/SSE. It offers all the functionality in a much simpler way. It’s actually significantly more secure. Dont have to deal with firewalls and ACL rules etc. I was pretty shocked at how simple some of these newer strategies can be.
