expert's opinion about a network's infrastructure

Answered Question
Sep 26th, 2008
User Badges:

Hello folks!!


I'd like to ask the opinion to setup a network's topology with the next requirements:

- I have two sites: The headquarter and the datacenter site.

- In the headquarter, I have a cisco ASA 5510

- The requeriments of the datacenter site's device (Not acquire yet) are:

-> Three network's interfaces to form a DMZ. one interface would be connected to WAN, other would be connected to DMZ and the last would be connected to LAN internal.

-> This device must permit connections from mobile users.

-> One connection VPN site-to-site must be permitted from central Headquarter.


- The security's requeriments are:

-> The VPN connections are permitted with direction to DMZ.

-> The traffic between certains machine's ports of DMZ and internal LAN are permitted.

-> Traffic from internet to ports 80/443 of some machine of DMZ is permitted.


- High disponibility on datacenter site.


For the moment, I worring about the site-to-site VPN connection:


One VPN point-to-point with Gre over IPSEC, using static routing would be a good solution?.


Somebody has told me that the ASA 5520 device on the datacenter site is the best option, What is your opinion about this?


I have seen the SDM software to setup the device, is enought to configure the device with this requeriments or CLI is better?.


Thanks in advance by yours comments!!.




Correct Answer by Marwan ALshawi about 8 years 5 months ago

if u use gre with static route u can make or any dynamic routing u can make the tunnel always up

with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map


STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well


good luck

if helpful rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Fri, 09/26/2008 - 18:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

about vpn with gre

ipsec is ur friend in vpn point-to-point

but gre is used to pass routing or multicast traffic if u need routing bewtween sites then consider gre with ipsec


if u wanna have tree separate interface each with diifrent access policies then ASA will be good choice

about configuration through GUI like ASDM or CLI

GUI more simple and fair enoguh to dothe job

but CLI more advnced and more control


if helpful Rate

elias.manchon Fri, 09/26/2008 - 22:04
User Badges:

Hi Marwanshawi


Thanks by your comments.


What happen with the hight disponibility?. How Could I use two device to failover?. Is HSRP the solution for this issue or Is there other solutions more easy?.


And the last questions, Can I use IPSEC with the vpn point-to-point and static routing without problems?.

Marwan ALshawi Sat, 09/27/2008 - 05:29
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hsrp good but if u have L2 u need to consider STP as well with HSRP

if u wanna use static route over VPN then gre/IPsec ur chioce


good luck


if helpful Rate

elias.manchon Sat, 09/27/2008 - 07:56
User Badges:

Why do I need gre over IPSec if I don't use routing protocols?. I use static routing only, and this routing rules aren't passed through of tunnel GRE, really?.


STP?, and How are the connections with six interfaces of the different devices?


Thanks again!!

Correct Answer
Marwan ALshawi Sun, 09/28/2008 - 03:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u use gre with static route u can make or any dynamic routing u can make the tunnel always up

with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map


STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well


good luck

if helpful rate

Actions

This Discussion