Jump to content



Photo

Using Internet Connection at Secondary Site


  • Please log in to reply
9 replies to this topic

#1 Garry

Garry

    CCNP & CISSP

  • Joined: 09-November 01
  • Location: Manchester, UK

Posted 10 February 2014 - 23:00

Hello,

 

This is quite a complicated one using quite a well-developed network infrastructure. I'm tearing my hair out trying to find, what I thought would be, quite a simple solutions. Perhaps BudMan can help.

 

We have a network architecture as follows in this amazing diagram. To the left is one physical site, to the right is the other. They are connected via two 1Gb routed links, though these could become switched links if necessary. Note that the two 'DMZs' at the bottom is a mistake. These should be regular client VLANs.

 

 

344yyk6.jpg

All I want to do is find a way to use the other site's Internet connection, if the Internet connection at one of the sites goes down. In theory it seems pretty simple, but whenever I explore a method I end up hitting a brick wall. We are running EIGRP between the core switches and several other devices and remote sites not shown on the diagram. Unfortunately, the majority of the DMZ VLANs (and there are at lot of them) are statically routed.

 

Here's what I've tried so far:

 

a) Set up a floating gateway on the core switch (which is the default gateway for client VLANs) - This method won't work as hosts in the DMZs don't route through the core switch. DMZ hosts would still lose Internet access.

 

b) Connect a spare ASA interface back to the core switch - Our Network Security Manager doesn't approve of this, since client VLANs (which also hold our most secure data) are then only protected from the outside world by one firewall.

 

c) Connect a spare ASA interface into a new VLAN protected by the FWSM - I just can't see how that would work. The FWSM would then just forward traffic back to the ASA in a loop, unless some kind of route-map were applied. The route-map would presumably have to applied on the core switch and apply to the incoming interface. At this point I get a little lost. I'm not even sure what I would set the 'next-hop IP' to.

 

d) Have all devices participate in EIGRP and redistribute a static route from the ASAs into the network - To be honest, I haven't explored this in detail and although I think it's feasible, I get a little lost in deciding exactly what should be set up.

 

I know I've left out a lot of technical detail but I'm happy to fill in the blanks where required. Any advice would be appreciated.

 

 




#2 IsItPluggedIn

IsItPluggedIn

    Neowinian

  • Joined: 08-December 11
  • Location: Sydney, Australia
  • OS: Win 7

Posted 10 February 2014 - 23:16

Are you trying to get all devices including the DMZ server to get out to the internet or just the clients?

 

Sorry missed point A, you want them to access as well. 

 

 

Are the servers in the DMZ using external IP's or are they using a NAT from the outside into a private IP range? Do they need to accessed from the outside or are they only outbound services?



#3 OP Garry

Garry

    CCNP & CISSP

  • Joined: 09-November 01
  • Location: Manchester, UK

Posted 10 February 2014 - 23:31

The servers in the DMZs are all NATed by the ASA. There are a few devices connected to the same external switch as the ASAs but we accept they'll go down along with the internet connection.

 

You know, I came up with Option D as I was writing the post and the more I think about it, the more feasible it seems. Surely if everything was (carefully!) advertised into EIGRP then it would simply be a case of redistributing the 0.0.0.0 route from the ASAs into the networks? Then add IP SLA to track an external website of some sort and have it route the default route from the ASAs when necessary?



#4 IsItPluggedIn

IsItPluggedIn

    Neowinian

  • Joined: 08-December 11
  • Location: Sydney, Australia
  • OS: Win 7

Posted 10 February 2014 - 23:44

Are the link between the sites direct or are they an ISP connection?

 

Im thinking about your DMZ servers, which will be now routing through the LAN to get out. Our security team does not like that.



#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 10 February 2014 - 23:51

So to be clear, you want the dmz from one site to route through your gig connections and out the other internet on failure?

 

Like this?

 

path.png

 

Not just the bottom vlans (called dmz in the drawing).  I agree about possible security concerns routing traffic over what is a normally private zone..  That might be a no no?



#6 IsItPluggedIn

IsItPluggedIn

    Neowinian

  • Joined: 08-December 11
  • Location: Sydney, Australia
  • OS: Win 7

Posted 10 February 2014 - 23:57

The private link between the Cisco 6500 could be moved to terminate on the ASA instead and it would stop this issue, but then the ASA would become a routing device, which is fine if there is only small amounts of traffic between sites, if there is a lot then i would advise against it.



#7 OP Garry

Garry

    CCNP & CISSP

  • Joined: 09-November 01
  • Location: Manchester, UK

Posted 11 February 2014 - 09:11

Hello,

The site to site links are direct. You're both right about DMZ traffic having to potentially come in to go out. I hadn't considered that and it it is something our security team wouldn't like. Perhaps it's acceptable in a degraded service scenario though.

Yes Budman, like that :)

It would seem that moving the two site to site links forward of the ASAs might be the only way forward. We're using a pair of pretty beefy 5520Xs at each site, so overhead shouldn't be an issue. I suppose that's the simplest way to do things really - but it means that internal site to site traffic will need to be identified and new firewall rules created.

#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 February 2014 - 12:35

Another question for you - is only outbound internet required?  Or do you advertise networks/routes out of these internet connections.

 

I would assume the services in the dmz serve the public internet?  If so even if you route their traffic out the other connection - what about inbound traffic?  You would need to change your bgp advertisements so that networks are advertised out of the other location?

 

You mention nats - so nats would have to be on the other asa when the the traffic flips to it.



#9 OP Garry

Garry

    CCNP & CISSP

  • Joined: 09-November 01
  • Location: Manchester, UK

Posted 11 February 2014 - 14:31

Another question for you - is only outbound internet required?  Or do you advertise networks/routes out of these internet connections.
 
I would assume the services in the dmz serve the public internet?  If so even if you route their traffic out the other connection - what about inbound traffic?  You would need to change your bgp advertisements so that networks are advertised out of the other location?
 
You mention nats - so nats would have to be on the other asa when the the traffic flips to it.


Hiya - We're just talking outbound at the moment, though we do want to implement BGP peering at some point in the future. As you can probably tell, this situation has arisen due to a merger. You'd never design a network like this!

The DMZ servers do serve the public Internet, but the business accepts that our best solution, at the moment, is changing DNS entries!

We're aware of the NAT thing - relatively easily solved once we can reliably get traffic there.

#10 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 11 February 2014 - 14:53

How we do failover between 2 dc and connections is via just an extended layer 2 over darkfiber, and simple hsrp type setup, with juniper its a HA setup and vip, etc.

 

If you move your connection to the asa I would assume you could do a similar type setup - you mentioned you could change your connection to just layer 2 vs routed.