Tunnelling a DMZ across an internal network dilemma

Unanswered Question
Aug 7th, 2007
User Badges:

I have a customer who is moving their servers to a new data centre from the head office (HO) but the ISP connection has to remain. What I need to achieve is a way to extend, securely, 6 DMZ?s from the HO to the new data centre.

My original idea was to use a pair of ASA 5520?s creating multiple L2L IPSec VPN connections - one for each DMZ to data centre.

6 DMZ VLANs [3750] --> [ASA5520]-->Layer 2 network --> [ASA5520] --> [3750] --> 6 DMZ VLANs

However, after trying to configure this I?ve come across a stumbling block. You can?t create multiple bidirectional L2L IPSec connection between two interfaces. I know conventionally implementation like this are of hub spoke design.

Another thought was to use dot1q tunnelling but I?m concerned about the security of this.

Any thoughts would be really welcomed!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Tue, 08/07/2007 - 08:21
User Badges:
  • Green, 3000 points or more

Why do you need 1 tunnel for each dmz? Why not just 1 tunnel for all 6?

jbutler007 Tue, 08/07/2007 - 09:06
User Badges:

Hi Acomiskey,

The customer currently has 6 distinct DMZ networks and we want to replicate these at the new location. The security model that they have adopted requires that they must be kept separate unfortunately.



jbutler007 Wed, 08/08/2007 - 01:29
User Badges:

Hi Acomiskey,

After a nights sleep i see what you mean. A single VPN connection between the two ASA's will do the job.

Thanks for your help,



This Discussion