expert's opinion about a network's infrastructure

Answered Question
Sep 26th, 2008

Hello folks!!

I'd like to ask the opinion to setup a network's topology with the next requirements:

- I have two sites: The headquarter and the datacenter site.

- In the headquarter, I have a cisco ASA 5510

- The requeriments of the datacenter site's device (Not acquire yet) are:

-> Three network's interfaces to form a DMZ. one interface would be connected to WAN, other would be connected to DMZ and the last would be connected to LAN internal.

-> This device must permit connections from mobile users.

-> One connection VPN site-to-site must be permitted from central Headquarter.

- The security's requeriments are:

-> The VPN connections are permitted with direction to DMZ.

-> The traffic between certains machine's ports of DMZ and internal LAN are permitted.

-> Traffic from internet to ports 80/443 of some machine of DMZ is permitted.

- High disponibility on datacenter site.

For the moment, I worring about the site-to-site VPN connection:

One VPN point-to-point with Gre over IPSEC, using static routing would be a good solution?.

Somebody has told me that the ASA 5520 device on the datacenter site is the best option, What is your opinion about this?

I have seen the SDM software to setup the device, is enought to configure the device with this requeriments or CLI is better?.

Thanks in advance by yours comments!!.

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 2 months ago

if u use gre with static route u can make or any dynamic routing u can make the tunnel always up

with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map

STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well

good luck

if helpful rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Fri, 09/26/2008 - 18:19

about vpn with gre

ipsec is ur friend in vpn point-to-point

but gre is used to pass routing or multicast traffic if u need routing bewtween sites then consider gre with ipsec

if u wanna have tree separate interface each with diifrent access policies then ASA will be good choice

about configuration through GUI like ASDM or CLI

GUI more simple and fair enoguh to dothe job

but CLI more advnced and more control

if helpful Rate

elias.manchon Fri, 09/26/2008 - 22:04

Hi Marwanshawi

Thanks by your comments.

What happen with the hight disponibility?. How Could I use two device to failover?. Is HSRP the solution for this issue or Is there other solutions more easy?.

And the last questions, Can I use IPSEC with the vpn point-to-point and static routing without problems?.

Marwan ALshawi Sat, 09/27/2008 - 05:29

hsrp good but if u have L2 u need to consider STP as well with HSRP

if u wanna use static route over VPN then gre/IPsec ur chioce

good luck

if helpful Rate

elias.manchon Sat, 09/27/2008 - 07:56

Why do I need gre over IPSec if I don't use routing protocols?. I use static routing only, and this routing rules aren't passed through of tunnel GRE, really?.

STP?, and How are the connections with six interfaces of the different devices?

Thanks again!!

Correct Answer
Marwan ALshawi Sun, 09/28/2008 - 03:19

if u use gre with static route u can make or any dynamic routing u can make the tunnel always up

with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map

STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well

good luck

if helpful rate

Actions

This Discussion