I have 1 central site and 3 remotes sites connected by wireless link. Call Manager is installed on the router 3825 and already running. I need to configure and secure traffic between the central site and the 3 remotes sites and install ASA 5520 to protect the network. (see pics attached)I have 4 questions:
1.the ASA is placed just behind the router 3825, this is the best location?
2.Is it better to configure the VPN tunnels between ASA 5520 and the routers 1841 or between router 3825 and routers 1841 ?
3.I choosed the site to site VPN with IPSec AES and preshared key. How can I implement it and keep traffic and IP Telephony qos?
4.How can I configure the ASA 5520 to protect my network and keep traffic and IP Telephony qos ?
To answer your questions:-
1) I would place the asa in front of the router to protect all network devices.
2) From your diagram I do not see why you need to do this? as it appears you have direct connections to the remote sites.
3) See the below links:-
4) The above will do this
Hello and thanks for your answer
As you see on my architecture, from remo site, IP phone call pass through branch rourer(1841) and asa 5520 to reach call manager on 3745.If I configure NAT on 1841 and asa 5520, IP call would work ? if not, how can I configure branch router 1841 and asa 5520 without NAT to make IP call work fine ?
You can configure no-nat from the 1841 to the ASA over a VPN tunnel. You then configure the traffic to pass thru the ASA to the call manager without being natted - based on a source and desintation specific access-list.
Thanks for your answer
please look atachement, Branch is connected to central site by radio link and I should configure VPN between 1841 and asa to secure each link
IP phone use DHCP and DHCP server is call manager. All other equipment is adressed manually
1. with no nat command in the 1841 , do I need to use any routing protocol ?if yes what is the best in my case ?
2. I would like to know if my adress plan is the best for my architecture, if not please could you help me ?
3. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ?
Thanks in advance
Yes - I have seen the diagram, it is the same one you keep posting.
1. with no nat command in the 1841 , do I need to use any routing protocol ?if yes what is the best in my case ? no-nat has NOTHING to do with a routing protocol. If you want to use one, fine. If not - static routes will do the job just as well.
2. I would like to know if my adress plan is the best for my architecture, if not please could you help me ? There is no reference to IP addressing in any of your diagrams.
3. Asa can support VPN and subinterface ? If not how can I configure B4 interface of ASA to support VPN from branch site and Vlan in LAN of central site ? The ASA cab support VPN's and sub interfaces, and VPN's on sub-interfaces, if you really want to.
1. configuration of subinterface on asa is the same as on router ?
see the new architecture with Ip address
2 . I would like to know if my adress plan is the best for my architecture, if not please could you help me ? There is no reference to IP addressing in any of your diagrams.
1) No - no need to configure the encapsualtion as dot1q, the ASA will already know this (cisco default), just create the sub-interface and make sure the switch port is configured as a trunk.
2) You have NOT supplied any IP addressing scheme. Since you only have 4 sites (3 remote and 1 cental) The the 192.168.x.x will be enough. This IP subnet structure will give you 64,000+ IP adresses.
I have updated architecture, see architecture3 in atachement.
1. I modified IP address plan, please look and let me know your comment on this address plan
2. I also specified interface with and without subinterfaces : please could you give me your comment ?
3. This architecture is the best for VPN, VoIP, DATA and security for my network ?
Thanks in advance
1) If you never have more than 250 users/servers/phones - then it is OK.
2) Looks OK
3) To big a question.
Is the call manager going to be the DHCP server for the IP Phones? If so - this is not a good idea. I would have the local routers be the DHCP servers for the PC's and IP Phones.
The Pc is adressed manually
I where planning ot have only one DHCP server for Iphone on call manager : in this case I could use Ip helper-address command on each router 1841 and for branch iphone dhcp request and on asa for Lan central Ipphone DHCP request
1. Why to do you think that is better to use branch router as DHCP for local Ipphone ?
2. What about DHCP server for iphone in Lan central site ?
3. All ipphone load their configuration from call manager : do you think that it is good idea to take ip address on local router and registred and load configuration on call manager ?