Solved

Multi-WAN network ?

Posted on 2009-05-05
7
967 Views
Last Modified: 2012-05-06
Hi guys,

I'm having trouble defining the possibility of a multi-WAN network proposed by an IT solution company since I'm no CISCO Geek.
Our company has offices all over the world (US, India, China), all connected in a "World WAN" so we can access certain resources in other countries. IP: 10.x.x.x for each country

In US (IP: 10.149.x.x), the company has several offices (NY, LA, San Francisco, New Jersey), only New York (10.148.5.x) is connected to the World WAN now. We were proposed a solution of connecting all US offices into a smaller network called "American WAN" so we can share resources between offices in US and also be able to access World WAN from anywhere. What I wonder is
- Is this network possible ?
- Can one firewall be able to handle both WANs, is it easy configure this ?
- Is it possible for all US offices to access resources from World WAN, can this be defined by ASA firewall configuration ?
- What should play the role of DHCP here ?

Any advice will be very much appreciated.
question.jpg
0
Comment
Question by:Johnny_Nguyen
  • 4
  • 3
7 Comments
 
LVL 13

Accepted Solution

by:
Quori earned 500 total points
ID: 24311968
Yes, it is. Very sparse on details there, however either via IPSec site-to-site VPN or a layer 2 VPN service (MPLS/VPLS, etc) it is possible.

Yes, it could support any number of 'WANs' you like - it is simply a matter of configuring each terminating interface appropriately. The ease of this is going to vary depending on access restrictions, etc.

What resources are they offering? If you're talking files and things of that nature, then you'd be best off with DFS.

DHCP would only be used for access devices to obtain an IP address at each site. You wouldn't deploy it right across both WANs.
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 24312205
Hi Quori, clear picture can be seen by clickin on the attached file or here http://www.experts-exchange.com/images/135955/question.jpg

The problem here is that: The World WAN is there now already, I don't control it, they give us a subnet 10.149.x.x. Resources on WORLD WAN are intranet, library and email.

Our job is to build this American WAN and connect all US offcies together rather than just US Head Office in New York. All US offices share some virtual applications deployed at head office New York, but this wont be accessible to any other country.

Now I wonder how to configure the Firewall to support this, do you have any doco on the ASA Firewall ?
And did I draw the diagram correctly ?
0
 
LVL 13

Expert Comment

by:Quori
ID: 24331184
When I get time I can provide some config for getting this sorted out. Do the other offices have any existing connectivity?

You may want to look into an MPLS-VPN solution to tie all your US based sites together, then from the head office (which would be a transit point for the remote offices to get to 'world wan') setup appropriate connectivity into world wan. Or if there is existing connectivity we could setup site to site VPNs between your remote offices and the head office.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 24332503
At the moment we only have separate internet at each US office. And MPLS-VPN is what they offer for the American WAN. And I reckon MPLS is properly the better choice than site to site since these US offices needs to communicate to each other as well rather than always have to go thru head office..

Imagine we have MPLS-VPN WAN in place now in US, do we connect head office to World WAN like the way I drew there (thru the same firewall, to a different CISCO Router) ? This has been on my mind for quite some time. In that case, how do we configure the Firewall to understand the difference between World WAN and American WAN and router them properly as desired.
0
 
LVL 13

Expert Comment

by:Quori
ID: 24332561
World WAN would have its own subnets. You can run a dynamic routing protocol. The 'world WAN' would have its own interface on the ASA. You can use an MPLS-VPN provider for this or again, site-to-site. If you are wanting to filter the traffic going to the world wan, then you could just terminate it into the ASA.

Even if there are two different providers, it is fine. Just need the two providers to come into the building with the central set of equipment.
0
 
LVL 13

Expert Comment

by:Quori
ID: 24332568
This is all very basic design, and I can't help much because there is just too many ways to do it. And if you don't have full authority over your networks then it is moot until an agreement is reached on design with those who control the world wan.

Once that is setup, we can talk about routing policies to their side of things as well as thinking about what services to filter.
0
 
LVL 1

Author Comment

by:Johnny_Nguyen
ID: 24332584
Thanks very much for your helpful information
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now