We help IT Professionals succeed at work.

New network Deisgn

Last Modified: 2012-05-09

My company is busy changing ISP's and we are busy with a network re-design.

Basically we have the following set of equipment are try to make the best use of it together with a secure design:

We have:
1 x Cisco ASA 5520
1 x Cisco ASA 5510
1 x AstroFlowGuard (Bandwidth manager)
2 x Barracuda Web Filters
1 x Barracuda Load Balancer (To load balance the web filters)
And other email and web servers that will be in the DMZ

Basically what I have come up with is using the 5520 as my main firewall with 2 x DMZ's, 1 x Inside and 1 x Outside. On the Inside interface I have placed the LoadBalancer with will be connected to the MPLS VRF (where all 60 of my sites hang off). The loadbalancer will the point to the 2 Barracuda Web Filters, which will inturn have thier default gateway set to the AstroFlowGuard (Bandwidth manager). In the Second DMZ all my email and web servers will be hosted. If I then set a default route on the ASA to point to the AstroFlowguard's IP and then set Astroflowguard to point to my "real" breakout router, will this work. As I can't figure out a way to get the bandwidth manager to work as it needs to be setup in a transparent bridge mode to work correctly.

I have tried to put together a diagram as to how i think this should work however I am not sure if there is a better/ smarter way of achieveing a better design.

Any help will be greatly appreciated as I am at a loss at the moment.
Watch Question

Top Expert 2010

Looks like it should work. How is it different from your old design? What current issues do you have that you wish to address?



My current network is very different from this design as we dont have any bandwidth managers, and currently make use of proxy's that are not transparent hence the need for IE proxy setting on the clients.

The new network is also on MPLS compared to frame-relay (Current Network).

I still can't figure out how to get the AstroFlowguard to work as this needs to be setup in a transparent bridge mode, which from what i understand should be inline with the firewall inside interface and the switch, im i correct?

See attached pic for current network.



As per my understanding, the attached diagram should do you good.
As the Astroflow is to manage the BW, they can be placed inline between the firewall and the router and manage ur incoming and outgoing trffic. The load balancer can take care of the barracuda traffic. Where have u used the other ASA ?



Hi ujitnos,

Thanks, for the diagram. However have a few questions:

1. If the Loadbalancer is in DMZ 1 with the 2 Barracuda Web Filters, how do I route all internet traffic to this Loadbalancer without using WCCP? As if I use WCCP Barracuda will not work with NTLM auth. and as a transparent proxy, I willl then have to add IE settings like I currently do, which I dont want to do.

2. With AstroFlow inline between the ASA 5520 outside interface and the router, Would this still allow me to do all my NATting on the ASA for my servers in the DMZ 2 and a few NAT's that might be in on the inside interface? and does it mean that my AstroFlow now needs to have a public IP?

3. The other ASA 5510 will be used for my VPN, but still trying to figure out where to place that in the network.

Once again thanks for the comments / options.

This one is on us!
(Get your first solution completely free - no credit card required)


Hi ujitnos,

This looks like a much better design, however I am still abit concerned about the AstroFlow being on the outside of the firewall. Would it not affect any of my nats that i will have setup on the Firewall, eg, NAT for my MX pointing to my Marshal server in the DMZ?


Does ur AStroflow do any routing or NAT-ing ? I feel its just a transperant device to manage the bandwidth. All u might need to do is manage the Public IP nad not the private IP address. Doe the interface have IP address other than a management IP?
I am comparing the astroflow with the PacketShaper from bluecoat, hence the design. If the funtionality of astroflow is any diferent, please correct me. Packetshaper is a transperant device used to manage various services like IPSEC, HTTP, Messengers etc. kind of QoS/Bandwidth Mgmt.



No the AstroFlow doesn't do any routing or NAT-ing. As far as I know it is just a pure B/W manager. And has only one IP which is the management IP address.

So i think you can compare it to the Packetshaper as it does all the above like you stated.

Correct me if im wrong but now does that mean I have to manage the Public addresses on AstroFlow from my internal ip's instead of managing the private IP's?

And AstroFlow will now have a Public address and not a Private address. If I do this would I still be able to connect to AstroFlow from within my network to manage the device?

Thanks for all the info thus far...

dont give astroflow a public IP, as the managemetn IP. Whats the internal IP of your internet routter? Private right? In the similar way give it a private IP.
The BW management is related to the varoius interent related services, rgt? LIke HTTP, HTTPS, SMTP, Facebook, P2P etc. So u will be basically managing the services coming and going to the internet.


The Ip of my internet router is of  196.x.x.x and the ip of my outside interface on the ASA is also 196.x.x.x in the same subnet class.

Well, thats bad. Normaly the inerface on which the internet link is terminated is of the public ip and the internal IP is of private IP.  
Was there any particular reason behind giving a public ip to the internal interface of the router? Where is the internal IP address defined?
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.