help adressing , planning and configure

Unanswered Question
Jan 2nd, 2009
User Badges:

Hi

I am planning addressing and configuration and I need help, see my architecture in atachement.

Branch is connected to central site by radio link and I should configure VPN between 1841 and asa to secure each link

IP phone use DHCP and DHCP server is call manager. All other equipment is adressed manually

1. Each equipement is at the right place ?

2. I would like to know if my adress plan is the best for my architecture, if not please could you help me ?

3. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?

4. IP calls from branch site cross trought cisco 1841 and ASA5520, I thing that IPcall can't work on Throught 2 NAT, how can I configure the 1841 and 5520 to forward IP call well ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 01/02/2009 - 04:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam,

1) I would move the LAN central site after the ASA on the right.


2) the address plane seems good


3) see point 1


4) some more details can be needed here


Hope to help

Giuseppe


nicanor00 Fri, 01/02/2009 - 05:19
User Badges:

Thanks for your answer


1. I use asa to protect all the network. If I move the Lan central to the right , The lan central should not be protected . How to get the best architecture and keep all the network protected ?


Giuseppe Larosa Fri, 01/02/2009 - 06:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam,

I may be wrong and you are right I thought you were going to use VPN over the radio links too.


If not so the position of the central site lan is correct


Hope to help

Giuseppe


nicanor00 Fri, 01/02/2009 - 07:14
User Badges:

Yes you are right I am going to use asa for VPN from branch site and also as firewall to protect the entire network (LAN central site and branch site)


1. What is the best architecture who can help to configure VPN to branch site and keep all the network protected ?


2. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?


Giuseppe Larosa Fri, 01/02/2009 - 11:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam,


if you have 4 lan interfaces on the ASA you can do everything


1 LAN interface that connects the three radio links


use a LAN switch and connect the 3 ports of radio links + 1 ASA port in the same vlan


this ASA is a DMZ1


1 ASA LAN for LAN central site this is your INSIDE


1 ASA LAN for DMZ (DMZ2 the real DMZ)


1 ASA LAN to router /CME this can be your OUTSIDE


if you miss one ASA LAN port I would move DMZ on an interface of router /CME


2) I've given a look at ASA 8.0 config guide


Native VLAN support for the ASA 5505

as new feature


You can now inlcude the native VLAN in an ASA 5505 trunk port.


Default State of Interfaces


The default state of an interface depends on the type and the context mode.


In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.


In single mode or in the system execution space, interfaces have the following default states:


•Physical interfaces-Disabled.


•Redundant Interfaces-Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.


•Subinterfaces-Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.


see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057763


LAN to LAN VPNS


see


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html


An example of LAL VPN between ASA/PIX and an IOS router


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml


Note:

the VOIP part can be addressed later but it will require changes to the tunnel configurations



Hope to help

Giuseppe


nicanor00 Sat, 01/03/2009 - 01:56
User Badges:

Thanks very much

I have updated architecture as you told me, see architecture3 in atachement.


1. I modified IP address plan, please look and let me know your comment on this address plan

2. I also specified interface with and without subinterfaces : please could you give me your comment ?


3. Is it a good think if I put (A1/0.1, A2/0.1 , A3/0.1, E0.1) in the same network : (192.168.20.0 for exemple)and put also (A1/0.2, A2/0.2 , A3/0.2, E0.2) in the same network (192.168.30.0 for exemple)


Thanks in advance

Giuseppe Larosa Sat, 01/03/2009 - 04:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam,

I think the new design is better in order to implement LAN to LAN VPNs for the radio links.


I don't know on ASA, but on routers each L3 IP subnet cannot have multiple entry/exit point: overlapping IP addresses on LAN and Vlan subifs are not allowed on a single device.

You can deploy in each remote site the data vlan as a subinterface and the voice as another subinterface. You cannot provide redundancy by overlapping ip addresses.


The same rules apply to the central site.


Having distinct subnets for voice and data help in the configuration of the vpn and of the NaT and firewall to the internet:

phones don't need to go to the internet just to say.

Pcs don't need to access the CME on the SCCP ports and so on.


I suggest to write down all the flows that you want to allow.

NAT will be needed to access the internet but I suppose it will be performed by the router/CME.


You can use a mix of physical interfaces and subinterfaces but no overlapping in ip addressing should be allowed.


Hope to help

Giuseppe


nicanor00 Sat, 01/03/2009 - 05:34
User Badges:

I am not really understand your last reply, But as you see on architecture I plan to use subinterface on each lan interface of branch router and on Lan central site interface of ASA


1. Is there other place where I should use sub interface ?

2. What do tou think about my adressing plan ?

Giuseppe Larosa Sat, 01/03/2009 - 06:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam,

sorry if I've been unclear


the choice of interfaces and subinterfaces is fine.


About the ip addressing each subinterface needs to be in a different IP subnet that's all


I see this in the picture


E0.1 192.168.150.0/24

E0.2 192.168.150.0/24


I say change to


E0.1 192.168.150.0/24

E0.2 192.168.151.0/24


Hope to help

Giuseppe


nicanor00 Sat, 01/03/2009 - 06:19
User Badges:

Oh sorry I make a mistake

thanks , i will modified

I think that I am affraid by configuration of asa with for interfaces connected but i will tried my best.

I will also implement it and let you know


Thanks

nicanor00 Mon, 01/05/2009 - 05:58
User Badges:

Hi

Please some body suggest me to add a cisco 2811 to agregate vpn connexions from branch site and use asa only to protect network

1. please look the architecture 4 in attachement and tell me if address plan is good

2. which of the 2 solution (with and without cisco 2511) is ths best ?



Giuseppe Larosa Tue, 01/06/2009 - 08:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Cam


sorry for the late answer


1) addressing plan looks like fine


2) by adding a device you reduce the complexity of ASA configuration:

if you have to look at the costs without the 2811 is cheaper in equipment but it can require more time to deploy


The ASA can do all the job, but configuration can be more difficult.

Rather if you add a C2811 I would considere to move the CME function over it I don't think it is a good idea to have it on the border router for security reasons.

In this way ip phones traffic would never have to cross the ASA this makes even simpler the ASA configuration and VOIP services will not depend on ASA.

This can be a very good reason for adding the C2811 to the picture more then the desire to simplify ASA configuration


Hope to help

Giuseppe



Actions

This Discussion