Network Design Advice

Unanswered Question


I am looking for a little advice on a network design I will soon be implementing. Currently we have a home office that has 20 employees. In the home office we have an internal lan that has a lan server(dhcp,file server, print server, active directory), an application server, and an email server. The lan is connected to the internet by an 1811 that handles all of the routing, vpn for 3 site to site vpns and up to 5 ipsec individual vpn connections at a time, and firewall duties. To this I need to add a web server preferably in a separate dmz zone that can connect to a sql server inside the internal lan.

What I would like advice on is whether there is a need for a separate firewall device possibly to handle vpn duties and firewall activites, and a recommendation on the device.

I could also use advice on the best way to implement a secure connection from the web server to the sql server that would not expose my internal lan to unnecessary risk.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
letsgomets Fri, 01/02/2009 - 12:49
User Badges:

Cisco ASA should be able to perform all of these tasks.

Question about the site to site VPNS... Do you have GRE and routing protocols enabled other than BGP? If so the ASA will not function in this role as it doesn't support GRE tunnels.

omar.elmohri Mon, 01/05/2009 - 07:19
User Badges:

This is very common.

I think that you can use the ASA5510, the ASA5510 is smaller. But with the first one you can implement DMZ region where you can connect you SQL server if you want to keep access to Internet while securing the inside network.

If you are not familiar with DMZ know that this is an intermediate level between inside and outside.

Outside - not secure region

DMZ - intermediate

Inside - most secured region

The ASA5510 can also provide you a powerful VPN connection for both site to site and client access.

Hope that this help.

Please rate if that help, and ask other questions if you need more details about DMZ.



Thank you that does help. I was unsure of the correct device to use to implement everything. I was pretty sure it was the ASA but there are many different models and within the models there are many different levels.

I am still a little unsure of the correct routes to send data between the dmz and internal network but I am going to do some research before I ask any more questions.

Thanks Again,


omar.elmohri Mon, 01/05/2009 - 07:36
User Badges:


Feel free to ask questions.

About the ASA, ASA5510-SEC-BUN-K9 this one can be a good. It supports 3DES and AES encryption which is strong algorithm. The default is only with DES encryption. It will depends also of your requirements, if not very confidential, DES only may fit your needs and is cost effective for you.




This Discussion