I am looking into the 3845 as part of a VoIP proposal for my company. I have a design idea that I want to throw out here and see if people could tear it apart and tell me if my logic seems reasonable.
Current network: Cisco 1841 router with T1 CSU/DSU WIC is our only Internet connection at the moment. We have an ASA 5510 as the outer firewall. This is where our IPSec VPN and SSL VPN connections terminate into our network. We are running a Microsoft ISA 2006 system as our backend firewall to protect our LAN. This also provides protection for our Outlook Web Access portal. There is a static NAT entry in our ASA for the ISA firewall system to avoid issues with double PAT being done on packets. A DMZ subnet exists between the ASA and the ISA.
Proposed Design: In the attached image is how I would like to change our structure to accommodate a VoIP enabled 3845 (This is the router proposed by our VAR). Instead of using the router as a dedicated PBX somewhere in our LAN, it obviously makes sense to replace our 1841 with the 3845. We still want to maintain our dual firewalls to keep the DMZ in between.
I want to use the IOS firewall on the 3845 to provide initial firewall protection (What is currently the ASA). It can also provide NAT and PAT as the ASA is currently doing in our network. I would then drop the ASA back as the back-end firewall (while also adding a second for failover), and dropping the ISA proxy off to the side (QoS not supported with this system, but we still want to use it for OWA/ActiveSync and web caching, etc). IPSec/SSL VPN connections will travel through the 3845 and terminate into the ASA cluster.
I also plan on implementing QoS
Questions/concerns I have:
1.) With the 3845 and a gigabit switch module installed, can I placed ports into different VLANs?
2.) Will creating a static NAT for the ASA's DMZ address on the 3845 cause issues with my IPSec and SSL VPNs?
3.) Will inter-office call quality be effected by having to travel through the ASA?