I'd like to ask the opinion to setup a network's topology with the next requirements:
- I have two sites: The headquarter and the datacenter site.
- In the headquarter, I have a cisco ASA 5510
- The requeriments of the datacenter site's device (Not acquire yet) are:
-> Three network's interfaces to form a DMZ. one interface would be connected to WAN, other would be connected to DMZ and the last would be connected to LAN internal.
-> This device must permit connections from mobile users.
-> One connection VPN site-to-site must be permitted from central Headquarter.
- The security's requeriments are:
-> The VPN connections are permitted with direction to DMZ.
-> The traffic between certains machine's ports of DMZ and internal LAN are permitted.
-> Traffic from internet to ports 80/443 of some machine of DMZ is permitted.
- High disponibility on datacenter site.
For the moment, I worring about the site-to-site VPN connection:
One VPN point-to-point with Gre over IPSEC, using static routing would be a good solution?.
Somebody has told me that the ASA 5520 device on the datacenter site is the best option, What is your opinion about this?
I have seen the SDM software to setup the device, is enought to configure the device with this requeriments or CLI is better?.
Thanks in advance by yours comments!!.
if u use gre with static route u can make or any dynamic routing u can make the tunnel always up
with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map
STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well
if helpful rate