Thanks for your answer

1. I use asa to protect all the network. If I move the Lan central to the right , The lan central should not be protected . How to get the best architecture and keep all the network protected ?

Hello Cam,

I may be wrong and you are right I thought you were going to use VPN over the radio links too.

If not so the position of the central site lan is correct

Hope to help

Giuseppe

Yes you are right I am going to use asa for VPN from branch site and also as firewall to protect the entire network (LAN central site and branch site)

1. What is the best architecture who can help to configure VPN to branch site and keep all the network protected ?

2. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?

Hello Cam,

if you have 4 lan interfaces on the ASA you can do everything

1 LAN interface that connects the three radio links

use a LAN switch and connect the 3 ports of radio links + 1 ASA port in the same vlan

this ASA is a DMZ1

1 ASA LAN for LAN central site this is your INSIDE

1 ASA LAN for DMZ (DMZ2 the real DMZ)

1 ASA LAN to router /CME this can be your OUTSIDE

if you miss one ASA LAN port I would move DMZ on an interface of router /CME

2) I've given a look at ASA 8.0 config guide

Native VLAN support for the ASA 5505

as new feature

You can now inlcude the native VLAN in an ASA 5505 trunk port.

Default State of Interfaces

The default state of an interface depends on the type and the context mode.

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

•Physical interfaces-Disabled.

•Redundant Interfaces-Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.

•Subinterfaces-Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057763

LAN to LAN VPNS

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html

An example of LAL VPN between ASA/PIX and an IOS router

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml

Note:

the VOIP part can be addressed later but it will require changes to the tunnel configurations

Hope to help

Giuseppe

Thanks very much

I have updated architecture as you told me, see architecture3 in atachement.

1. I modified IP address plan, please look and let me know your comment on this address plan

2. I also specified interface with and without subinterfaces : please could you give me your comment ?

3. Is it a good think if I put (A1/0.1, A2/0.1 , A3/0.1, E0.1) in the same network : (192.168.20.0 for exemple)and put also (A1/0.2, A2/0.2 , A3/0.2, E0.2) in the same network (192.168.30.0 for exemple)

Thanks in advance

Hello Cam,

I think the new design is better in order to implement LAN to LAN VPNs for the radio links.

I don't know on ASA, but on routers each L3 IP subnet cannot have multiple entry/exit point: overlapping IP addresses on LAN and Vlan subifs are not allowed on a single device.

You can deploy in each remote site the data vlan as a subinterface and the voice as another subinterface. You cannot provide redundancy by overlapping ip addresses.

The same rules apply to the central site.

Having distinct subnets for voice and data help in the configuration of the vpn and of the NaT and firewall to the internet:

phones don't need to go to the internet just to say.

Pcs don't need to access the CME on the SCCP ports and so on.

I suggest to write down all the flows that you want to allow.

NAT will be needed to access the internet but I suppose it will be performed by the router/CME.

You can use a mix of physical interfaces and subinterfaces but no overlapping in ip addressing should be allowed.

Hope to help

Giuseppe

I am not really understand your last reply, But as you see on architecture I plan to use subinterface on each lan interface of branch router and on Lan central site interface of ASA

1. Is there other place where I should use sub interface ?

2. What do tou think about my adressing plan ?

Hello Cam,

sorry if I've been unclear

the choice of interfaces and subinterfaces is fine.

About the ip addressing each subinterface needs to be in a different IP subnet that's all

I see this in the picture

E0.1 192.168.150.0/24

E0.2 192.168.150.0/24

I say change to

E0.1 192.168.150.0/24

E0.2 192.168.151.0/24

Hope to help

Giuseppe

Oh sorry I make a mistake

thanks , i will modified

I think that I am affraid by configuration of asa with for interfaces connected but i will tried my best.

I will also implement it and let you know

Thanks

Hi

Please some body suggest me to add a cisco 2811 to agregate vpn connexions from branch site and use asa only to protect network

1. please look the architecture 4 in attachement and tell me if address plan is good

2. which of the 2 solution (with and without cisco 2511) is ths best ?

Hello Cam

sorry for the late answer

1) addressing plan looks like fine

2) by adding a device you reduce the complexity of ASA configuration:

if you have to look at the costs without the 2811 is cheaper in equipment but it can require more time to deploy

The ASA can do all the job, but configuration can be more difficult.

Rather if you add a C2811 I would considere to move the CME function over it I don't think it is a good idea to have it on the border router for security reasons.

In this way ip phones traffic would never have to cross the ASA this makes even simpler the ASA configuration and VOIP services will not depend on ASA.

This can be a very good reason for adding the C2811 to the picture more then the desire to simplify ASA configuration

Hope to help

Giuseppe