09-26-2008 01:46 PM - edited 03-09-2019 09:34 PM
Hello folks!!
I'd like to ask the opinion to setup a network's topology with the next requirements:
- I have two sites: The headquarter and the datacenter site.
- In the headquarter, I have a cisco ASA 5510
- The requeriments of the datacenter site's device (Not acquire yet) are:
-> Three network's interfaces to form a DMZ. one interface would be connected to WAN, other would be connected to DMZ and the last would be connected to LAN internal.
-> This device must permit connections from mobile users.
-> One connection VPN site-to-site must be permitted from central Headquarter.
- The security's requeriments are:
-> The VPN connections are permitted with direction to DMZ.
-> The traffic between certains machine's ports of DMZ and internal LAN are permitted.
-> Traffic from internet to ports 80/443 of some machine of DMZ is permitted.
- High disponibility on datacenter site.
For the moment, I worring about the site-to-site VPN connection:
One VPN point-to-point with Gre over IPSEC, using static routing would be a good solution?.
Somebody has told me that the ASA 5520 device on the datacenter site is the best option, What is your opinion about this?
I have seen the SDM software to setup the device, is enought to configure the device with this requeriments or CLI is better?.
Thanks in advance by yours comments!!.
Solved! Go to Solution.
09-28-2008 03:19 AM
if u use gre with static route u can make or any dynamic routing u can make the tunnel always up
with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map
STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well
good luck
if helpful rate
09-26-2008 06:19 PM
about vpn with gre
ipsec is ur friend in vpn point-to-point
but gre is used to pass routing or multicast traffic if u need routing bewtween sites then consider gre with ipsec
if u wanna have tree separate interface each with diifrent access policies then ASA will be good choice
about configuration through GUI like ASDM or CLI
GUI more simple and fair enoguh to dothe job
but CLI more advnced and more control
if helpful Rate
09-26-2008 10:04 PM
Hi Marwanshawi
Thanks by your comments.
What happen with the hight disponibility?. How Could I use two device to failover?. Is HSRP the solution for this issue or Is there other solutions more easy?.
And the last questions, Can I use IPSEC with the vpn point-to-point and static routing without problems?.
09-27-2008 05:29 AM
hsrp good but if u have L2 u need to consider STP as well with HSRP
if u wanna use static route over VPN then gre/IPsec ur chioce
good luck
if helpful Rate
09-27-2008 07:56 AM
Why do I need gre over IPSec if I don't use routing protocols?. I use static routing only, and this routing rules aren't passed through of tunnel GRE, really?.
STP?, and How are the connections with six interfaces of the different devices?
Thanks again!!
09-28-2008 03:19 AM
if u use gre with static route u can make or any dynamic routing u can make the tunnel always up
with ipsec only static route shoud point the to the remote stite public ip as the next hop and the tunnel will come up when un interesting traffic is matched the ACL in the crypto ACL map
STP with HSRP work in the traffic going from L2 to L3 u need to make sure the the active HSRP device is the root bridge as well
good luck
if helpful rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide