Tunnelling a DMZ across an internal network dilemma

jbutler007 · ‎08-07-2007

I have a customer who is moving their servers to a new data centre from the head office (HO) but the ISP connection has to remain. What I need to achieve is a way to extend, securely, 6 DMZ?s from the HO to the new data centre.

My original idea was to use a pair of ASA 5520?s creating multiple L2L IPSec VPN connections - one for each DMZ to data centre.

6 DMZ VLANs [3750] --> [ASA5520]-->Layer 2 network --> [ASA5520] --> [3750] --> 6 DMZ VLANs

However, after trying to configure this I?ve come across a stumbling block. You can?t create multiple bidirectional L2L IPSec connection between two interfaces. I know conventionally implementation like this are of hub spoke design.

Another thought was to use dot1q tunnelling but I?m concerned about the security of this.

Any thoughts would be really welcomed!

Cheers,

James

acomiskey · ‎08-07-2007

Why do you need 1 tunnel for each dmz? Why not just 1 tunnel for all 6?

jbutler007 · ‎08-07-2007

Hi Acomiskey,

The customer currently has 6 distinct DMZ networks and we want to replicate these at the new location. The security model that they have adopted requires that they must be kept separate unfortunately.

Regards,

James

jbutler007 · ‎08-08-2007

Hi Acomiskey,

After a nights sleep i see what you mean. A single VPN connection between the two ASA's will do the job.

Thanks for your help,

James