Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
2
Replies

Cisco 3845 InterVLAN routing

support
Level 1
Level 1

‎04-16-2008 11:47 AM - edited ‎03-03-2019 09:35 PM

Hello,

I am looking into the 3845 as part of a VoIP proposal for my company. I have a design idea that I want to throw out here and see if people could tear it apart and tell me if my logic seems reasonable.

Current network: Cisco 1841 router with T1 CSU/DSU WIC is our only Internet connection at the moment. We have an ASA 5510 as the outer firewall. This is where our IPSec VPN and SSL VPN connections terminate into our network. We are running a Microsoft ISA 2006 system as our backend firewall to protect our LAN. This also provides protection for our Outlook Web Access portal. There is a static NAT entry in our ASA for the ISA firewall system to avoid issues with double PAT being done on packets. A DMZ subnet exists between the ASA and the ISA.

Proposed Design: In the attached image is how I would like to change our structure to accommodate a VoIP enabled 3845 (This is the router proposed by our VAR). Instead of using the router as a dedicated PBX somewhere in our LAN, it obviously makes sense to replace our 1841 with the 3845. We still want to maintain our dual firewalls to keep the DMZ in between.

I want to use the IOS firewall on the 3845 to provide initial firewall protection (What is currently the ASA). It can also provide NAT and PAT as the ASA is currently doing in our network. I would then drop the ASA back as the back-end firewall (while also adding a second for failover), and dropping the ISA proxy off to the side (QoS not supported with this system, but we still want to use it for OWA/ActiveSync and web caching, etc). IPSec/SSL VPN connections will travel through the 3845 and terminate into the ASA cluster.

I also plan on implementing QoS

Questions/concerns I have:

1.) With the 3845 and a gigabit switch module installed, can I placed ports into different VLANs?

2.) Will creating a static NAT for the ASA's DMZ address on the 3845 cause issues with my IPSec and SSL VPNs?

3.) Will inter-office call quality be effected by having to travel through the ASA?

Thanks,

Brantley Richbourg

Labels:
Preview file
120 KB
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎04-16-2008 12:03 PM

Hi, very quickly

1. yes. the switch module is actually a true 3750 that you can also buy "regular" if you have the space (the 3750 is quite deep).

2. no. you can keep vpn and ssl vpn on the asa, or have the 3845 to do them

3. no.

Note I don't know what's you circuits speed but you can probably do wit less than a 3845 :)

0 Helpful

support
Level 1
Level 1
In response to paolo bevilacqua

‎04-16-2008 12:33 PM

Thanks! That was what I was thinking, but I just wanted to make sure before I make a significant investment in the equipment to later find out it does not work as I hoped. ;)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card