VPN DESIGN

HI,

I'm  trying to design a centralized VPN architecture  with cisco equipments, so  every branch office have an dsl or t1 link, in this case i want to connect all the branch offices to the headquarters data center with VPN the questions is:
It is possible to send the branches offices INTERNET traffic trough the vpn ?

If yes, how can i set up this, what the best routing protocol should i use?

What kind of VPN tunnel should i use ?

Should i also put the domain controller for all the branch offices into the headquarters data-center, if yes how can i broadcast the microsoft protocols to join machines into the domain, share printers files and others

The web sense server can be centralized ? if yes how? and which asa appliance must be configured to forward http traffic into the websense (webfilter)


See the design below

A lot of thanks , regards and all what you want

vpn-designinternet-websense-cent.jpg
jamillAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alexey KomarovChief Project EngineerCommented:
Good day,
It is possible to send the branches offices INTERNET traffic trough the vpn ? Yes


If yes, how can i set up this, what the best routing protocol should i use?
In this simple scheme it is possible to use static route.

What kind of VPN tunnel should i use ?
Site-to-Site Vpn tunnel if at Branch offices there is static an address Internet.

Should i also put the domain controller for all the branch offices into the headquarters data-center, if yes how can i broadcast the microsoft protocols to join machines into the domain, share printers files and others
You can establish at Branch offices additional controllers for decrease in the traffic and possibility of authorisation of users in the absence of connection with head office.

The web sense server can be centralized ? if yes how? and which asa appliance must be configured to forward http traffic into the websense (webfilter)

websense it is possible centralized at head office
All ASA`s needs to be configured for work with it
0
jamillAuthor Commented:
Thank you a lot

so

If yes, how can i set up this, what the best routing protocol should i use?
In this simple scheme it is possible to use static route.
*in the case of a dynamic routing protocol can witch one can i use (ospf or eigrp)

What kind of VPN tunnel should i use ?
Site-to-Site Vpn tunnel if at Branch offices there is static an address Internet.
Yes i know but with technology ( IPSec Direct Encapsulation, Point-to-Point GRE over IPSec, Dynamic Multipoint VPN (DMVPN), Virtual Tunnel Interface (VTI)

Can i use the waas appliance to optimize the and accelerate the traffic through the vpn ?

0
Alexey KomarovChief Project EngineerCommented:
You can configure ospf.
But the special sense in it is not present because these devices at you connect with each other on one link L2L.
IPSec Direct Encapsulation
Yes you may use.
http://www.ciscopros.info/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd8051c104_ps6474_Products_White_Paper.html

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

jamillAuthor Commented:
Hello,

what's the better way to configure the vpn  failover beteen the cisco ASA of the branchoffice and the headquarters offices


regards ?
0
Alexey KomarovChief Project EngineerCommented:
Hello,
You can put two ASA at headquarters office in a mode active/passive for failover.

0
jamillAuthor Commented:
Hi

Have you a configuration template or model.
may i use the 2 isp option ?
Please can you give more technical details (configurations, commands protocols)

regards
0
Alexey KomarovChief Project EngineerCommented:
Hi,
To use the scheme with two isp providers it is necessary to change ASA for a router.
 where you wish to use 2 isp? At headquarters office?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.