08-07-2007 08:12 AM - edited 03-09-2019 06:32 PM
I have a customer who is moving their servers to a new data centre from the head office (HO) but the ISP connection has to remain. What I need to achieve is a way to extend, securely, 6 DMZ?s from the HO to the new data centre.
My original idea was to use a pair of ASA 5520?s creating multiple L2L IPSec VPN connections - one for each DMZ to data centre.
6 DMZ VLANs [3750] --> [ASA5520]-->Layer 2 network --> [ASA5520] --> [3750] --> 6 DMZ VLANs
However, after trying to configure this I?ve come across a stumbling block. You can?t create multiple bidirectional L2L IPSec connection between two interfaces. I know conventionally implementation like this are of hub spoke design.
Another thought was to use dot1q tunnelling but I?m concerned about the security of this.
Any thoughts would be really welcomed!
Cheers,
James
08-07-2007 08:21 AM
Why do you need 1 tunnel for each dmz? Why not just 1 tunnel for all 6?
08-07-2007 09:06 AM
Hi Acomiskey,
The customer currently has 6 distinct DMZ networks and we want to replicate these at the new location. The security model that they have adopted requires that they must be kept separate unfortunately.
Regards,
James
08-08-2007 01:29 AM
Hi Acomiskey,
After a nights sleep i see what you mean. A single VPN connection between the two ASA's will do the job.
Thanks for your help,
James
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: