Tunnelling a DMZ across an internal network dilemma

Unanswered Question
Aug 7th, 2007

I have a customer who is moving their servers to a new data centre from the head office (HO) but the ISP connection has to remain. What I need to achieve is a way to extend, securely, 6 DMZ?s from the HO to the new data centre.

My original idea was to use a pair of ASA 5520?s creating multiple L2L IPSec VPN connections - one for each DMZ to data centre.

6 DMZ VLANs [3750] --> [ASA5520]-->Layer 2 network --> [ASA5520] --> [3750] --> 6 DMZ VLANs

However, after trying to configure this I?ve come across a stumbling block. You can?t create multiple bidirectional L2L IPSec connection between two interfaces. I know conventionally implementation like this are of hub spoke design.

Another thought was to use dot1q tunnelling but I?m concerned about the security of this.

Any thoughts would be really welcomed!

Cheers,

James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 08/07/2007 - 08:21

Why do you need 1 tunnel for each dmz? Why not just 1 tunnel for all 6?

jbutler007 Tue, 08/07/2007 - 09:06

Hi Acomiskey,

The customer currently has 6 distinct DMZ networks and we want to replicate these at the new location. The security model that they have adopted requires that they must be kept separate unfortunately.

Regards,

James

jbutler007 Wed, 08/08/2007 - 01:29

Hi Acomiskey,

After a nights sleep i see what you mean. A single VPN connection between the two ASA's will do the job.

Thanks for your help,

James

Actions

This Discussion