01-02-2009 01:31 AM - edited 03-06-2019 03:13 AM
Hi
I am planning addressing and configuration and I need help, see my architecture in atachement.
Branch is connected to central site by radio link and I should configure VPN between 1841 and asa to secure each link
IP phone use DHCP and DHCP server is call manager. All other equipment is adressed manually
1. Each equipement is at the right place ?
2. I would like to know if my adress plan is the best for my architecture, if not please could you help me ?
3. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?
4. IP calls from branch site cross trought cisco 1841 and ASA5520, I thing that IPcall can't work on Throught 2 NAT, how can I configure the 1841 and 5520 to forward IP call well ?
01-02-2009 04:55 AM
Hello Cam,
1) I would move the LAN central site after the ASA on the right.
2) the address plane seems good
3) see point 1
4) some more details can be needed here
Hope to help
Giuseppe
01-02-2009 05:19 AM
Thanks for your answer
1. I use asa to protect all the network. If I move the Lan central to the right , The lan central should not be protected . How to get the best architecture and keep all the network protected ?
01-02-2009 06:45 AM
Hello Cam,
I may be wrong and you are right I thought you were going to use VPN over the radio links too.
If not so the position of the central site lan is correct
Hope to help
Giuseppe
01-02-2009 07:14 AM
Yes you are right I am going to use asa for VPN from branch site and also as firewall to protect the entire network (LAN central site and branch site)
1. What is the best architecture who can help to configure VPN to branch site and keep all the network protected ?
2. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?
01-02-2009 11:37 AM
Hello Cam,
if you have 4 lan interfaces on the ASA you can do everything
1 LAN interface that connects the three radio links
use a LAN switch and connect the 3 ports of radio links + 1 ASA port in the same vlan
this ASA is a DMZ1
1 ASA LAN for LAN central site this is your INSIDE
1 ASA LAN for DMZ (DMZ2 the real DMZ)
1 ASA LAN to router /CME this can be your OUTSIDE
if you miss one ASA LAN port I would move DMZ on an interface of router /CME
2) I've given a look at ASA 8.0 config guide
Native VLAN support for the ASA 5505
as new feature
You can now inlcude the native VLAN in an ASA 5505 trunk port.
Default State of Interfaces
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
â¢Physical interfaces-Disabled.
â¢Redundant Interfaces-Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.
â¢Subinterfaces-Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057763
LAN to LAN VPNS
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
An example of LAL VPN between ASA/PIX and an IOS router
Note:
the VOIP part can be addressed later but it will require changes to the tunnel configurations
Hope to help
Giuseppe
01-03-2009 01:56 AM
Thanks very much
I have updated architecture as you told me, see architecture3 in atachement.
1. I modified IP address plan, please look and let me know your comment on this address plan
2. I also specified interface with and without subinterfaces : please could you give me your comment ?
3. Is it a good think if I put (A1/0.1, A2/0.1 , A3/0.1, E0.1) in the same network : (192.168.20.0 for exemple)and put also (A1/0.2, A2/0.2 , A3/0.2, E0.2) in the same network (192.168.30.0 for exemple)
Thanks in advance
01-03-2009 04:55 AM
Hello Cam,
I think the new design is better in order to implement LAN to LAN VPNs for the radio links.
I don't know on ASA, but on routers each L3 IP subnet cannot have multiple entry/exit point: overlapping IP addresses on LAN and Vlan subifs are not allowed on a single device.
You can deploy in each remote site the data vlan as a subinterface and the voice as another subinterface. You cannot provide redundancy by overlapping ip addresses.
The same rules apply to the central site.
Having distinct subnets for voice and data help in the configuration of the vpn and of the NaT and firewall to the internet:
phones don't need to go to the internet just to say.
Pcs don't need to access the CME on the SCCP ports and so on.
I suggest to write down all the flows that you want to allow.
NAT will be needed to access the internet but I suppose it will be performed by the router/CME.
You can use a mix of physical interfaces and subinterfaces but no overlapping in ip addressing should be allowed.
Hope to help
Giuseppe
01-03-2009 05:34 AM
I am not really understand your last reply, But as you see on architecture I plan to use subinterface on each lan interface of branch router and on Lan central site interface of ASA
1. Is there other place where I should use sub interface ?
2. What do tou think about my adressing plan ?
01-03-2009 06:00 AM
Hello Cam,
sorry if I've been unclear
the choice of interfaces and subinterfaces is fine.
About the ip addressing each subinterface needs to be in a different IP subnet that's all
I see this in the picture
E0.1 192.168.150.0/24
E0.2 192.168.150.0/24
I say change to
E0.1 192.168.150.0/24
E0.2 192.168.151.0/24
Hope to help
Giuseppe
01-03-2009 06:19 AM
Oh sorry I make a mistake
thanks , i will modified
I think that I am affraid by configuration of asa with for interfaces connected but i will tried my best.
I will also implement it and let you know
Thanks
01-05-2009 05:58 AM
Hi
Please some body suggest me to add a cisco 2811 to agregate vpn connexions from branch site and use asa only to protect network
1. please look the architecture 4 in attachement and tell me if address plan is good
2. which of the 2 solution (with and without cisco 2511) is ths best ?
01-06-2009 08:18 AM
Hello Cam
sorry for the late answer
1) addressing plan looks like fine
2) by adding a device you reduce the complexity of ASA configuration:
if you have to look at the costs without the 2811 is cheaper in equipment but it can require more time to deploy
The ASA can do all the job, but configuration can be more difficult.
Rather if you add a C2811 I would considere to move the CME function over it I don't think it is a good idea to have it on the border router for security reasons.
In this way ip phones traffic would never have to cross the ASA this makes even simpler the ASA configuration and VOIP services will not depend on ASA.
This can be a very good reason for adding the C2811 to the picture more then the desire to simplify ASA configuration
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: