Solved

Infrastructural Strategy

Posted on 2012-03-31
27
411 Views
Last Modified: 2012-04-08
Hello Experts,

I have a peculiar strategical workout for you brains!

It goes something like this..................

One of my client has two offices in different cities, their server is hosted in a data centre.
They have a leased line connection between the DC to the office on both locations, as such as it provides them two /30 subnets (Thus, forming a point-to-point link between the office & DC).

Office A has an ASA 5505 (Security + licence), Office B has an ASA 5510 (Base licence) and DC has a Cisco 2821Router (ISR).

Our ISP also provides a batch of public IP /29 addresses on both office locations.
office A LAN- 192.168.1.0 /24
office B LAN- 192.168.2.0 /24
 DC LAN- 192.168.3.0 /24

Traffic from site A+B must go through the DC in order to see the outside world (Internet) and vice versa. What, I've done so far was to PAT the traffic from LAN A and LAN B to the DC (so both sites can access the server, which they did). However, it seemed to be extremely slow while browsing on the server and whilst, PC's in site A&B can ping the server (in DC), I was unable to ping any hosts on LAN A&B, probably because of PAT setup.

I know my approach was poor, hence I come before the experts. Please suggest a better approach to me in this current topology.

If you guys need a topology map, let me know.

Thanks,

Mail
0
Comment
Question by:mail_mave
  • 14
  • 8
  • 5
27 Comments
 
LVL 6

Expert Comment

by:awaggoner
ID: 37792115
Sorry to be slow, but what does DC stand for in your question.

In this forum, DC usually stands for Domain Controller
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37792122
I don't think you need to be using PAT at all, you should be able to use your Cisco equipment to create IPSec tunnels to encrypt the traffic over your leased lines.

You can create tunnels between A and DC, B and DC, and if A and B need to talk to each other between me as well.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37792403
Since sites A and B are internal to your network (connected via P2P circuits back to your DC) there is no need for Firewalls at the sites.  Site A and B should be connecting via a Cisco router back to the internal P2P router at your DC (Data Center).  Internet traffic should then be passed up through you DC switch to your Internet Firewall (i.e. Cisco ASA Firewall).  Which then can be passed to an Internet based router.

If prefer to use your firewall devices for routing between the sites then you I would recommend not using PAT or NAT for this network architecture.  Use the firewall in a strict routing capacity.  Note your inter-domain traffic will be inherentantly slower due to the firewalls ACL filtering process and even slower if encryption is involved.  You would have strip out all the ACL and have a couple that completely open up all traffic between your sites and the DC.  Basically defeating the purpose of having a firewall.  With a router you still have the ability to use ACLs if necessary, but your traffic will flow more efficiently; plus it would be easier to manage in this capacity.
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37793222
Routers would be better than firewalls for this purpose, but they should work.  Minimal, or no, ACLs(except allow all) will be needed.

You should still set up encryption (IPSec) over your P2P links.  This traffic can still be captured.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793426
Why would you recommend encryption over a P2P?  These circuits are internal dedicated and are not exposed to the Internet.  Adding encryption would impede traffic flow.  So, unless there's a dire need to encrypt traffic don't add the the over head of IPsec.  VPN is only intended for traffic transversing over the Internet.  Encryption can effectively reduce the performance of an appliance by as much as 60% depending on the hardware and dedicated ASIC for encrypting and decrypting traffic.  If for whatever reason encryption is required then the Cisco ASA will perform better than a Cisco 2800 series router.

http://www.hacom.net/kb/ipsec-performance-cisco-asa-5510-measured-iperf
0
 

Author Comment

by:mail_mave
ID: 37793456
Hi guys,

I couldn't agree more with both of you that routers will be more purpose specific in my situation. However, client is on a very tight budget and can't get him to spend any more.

@awaggoner

1.

DC was intended to signify data centre, however domain controller can also be true due to the fact that it sits in data centre.

2.

Site-to-site VPN came to my mind immediately when this project was assigned to me, but given that these are P2P lines, I ruled it out as I thought added encryption will negatively effect the performance.

@gsmartin
I've tried striping all the ACLs and only left allow 'all incoming IP traffic from outside' and 'outgoing traffic form inside -out' in place. Hence, reducing the functionality of the firewall to make it more of a router.

On the note of agreeing with both of you in ACL reduction (which I've already done) would it be better if I were to configure a dynamic routing protocol on the ASA's ? or using static routes form LAN A, LAN B to LAN DC.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793458
Now allow me to clarify something that I mistakenly mis referenced, the Cisco ASA firewalls will out perform a Cisco router, but are an over kill for this architecture.  The performance capabilities will have no benefit over standard P2P lines.  Cisco ASA have the processing power that can handle sizable traffic.  However, their marketing material over states their actual performance as indicated in the referenced in the ASA iPerf article.  It would be best to repurpose them for a more appropriate use.

Typical network design would have a router at each location for internal traffic routing needs with (no encryption).
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793463
FYI... I wrote my previous comment prior to reading your last post.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793478
It's a simple architecture where you can easily get by with static routes, but EIGRP is preferred form a dynamic routing perspective.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793491
Fyi... In my network architectures I only use site-to-site VPNs as a last resort or for temporary purposes.  Primarily, because I lean toward centralizing as much of the network resources as possible.  To simplify management, troubleshooting, better scalability, and overall hardware costs.  Environments with Public MPLS or P2P VPN at each location require multiple costly security devices to manage traffic at each location and adds significant addtiinal costs when scaling the network.
0
 

Author Comment

by:mail_mave
ID: 37793492
On the ASA itself (let say....Office A) when I provide a default rule such as,

route outside 0.0.0.0 0.0.0.0 1.1.1.2

(where 1.1.1.1 is office A and 1.1.1.2 is DC) it knows how to reach the LAN DC, however for some reason 2821 in DC dosen't seem to know about LAN A.

Even though I've provided the static route on the router, such as

ip route 192.168.1.0 255.255.255.0 1.1.1.2 (I've even tried the interface)

And I don't think that any ACL on the ASA is blocking that traffic (beacause it will allow any IP traffic to pass).

That was the reason I configured PAT in first place, as I was unable to come up with a different strategy.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793502
So, back to the topic.  Your objective should be to turn your firewalls into basic routers with no encryption, no NAT or PAT, and with basic routing either static or dynamic.  Dynamic is better if the company plans to expand an add additional sites in the future.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793508
My first question is why is there public IP addresses on a private P2P circuit?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Expert Comment

by:gsmartin
ID: 37793520
Since you are using an ASA firewall you need to make sure you are allowing all traffic in from the DC to the respective office.  Then allow internal office traffic out to the DC.  You will need an ACL for each direction (In to Outside and Outside to In) with the appropriate networks.
0
 

Author Comment

by:mail_mave
ID: 37793527
My first question is why is there public IP addresses on a private P2P circuit?

This is due to the fact that the ISP in place has provided us with this circuit. Also, these offices  are in different  part of the country.

PS: I've enclosed a sanitised Topology diagram for better understandability.
Untitled.jpg
0
 

Author Comment

by:mail_mave
ID: 37793529
You will need an ACL for each direction (In to Outside and Outside to In) with the appropriate networks.

I take it this is on the ASA's rather that the router?

Also, wouldn't any any server the same purpose?

Cheers
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793539
Here's a Cisco document on configuring IP routing on the ASA.  This provides you with a more in-depth understanding on how the ASA functions in this capacity.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37793549
Correct on the ASA.

Any to Any is only mapping from source to destination.  So you will need to it both directions.
0
 
LVL 6

Accepted Solution

by:
awaggoner earned 250 total points
ID: 37793749
Just because it is a dedicated circuit does not mean it is secure.  Just do a search for MPLS vulnerabilities.

http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/136523-7407820

http://www.tmplab.org/wiki/images/e/ef/MPLS_Security_Overview.pdf
http://www.blueridgenetworks.com/securitynowblog/retail-mpls-data-networks-at-risk

Point to point connections rely on traffic separation, not security
0
 

Author Comment

by:mail_mave
ID: 37794722
@awaggoner

I've read all the references that you've posted and they seem quite sensible. I'll go and email the ISP to find out the nature of these p2p links in place, I firmly believe they are MPLS but i could be wrong.
 
Will let you guys know :)
0
 
LVL 8

Assisted Solution

by:gsmartin
gsmartin earned 250 total points
ID: 37794746
If your circuits are not P2P and are in fact MPLS then you will need to take different approach.  One thing I was curious about before is that had your sites going to public IP as your default gateway, which indicates to me it could be an MPLS circuit.  If so, then you will definitely need to secure them with your ASAs and create site-to-site VPN tunnels.  Confirm the circuits at all sites to ensure we are approaching this correctly.
0
 

Author Comment

by:mail_mave
ID: 37795295
An update guys,

This is an MPLS circuit.

Think IPsec might be useful now?
0
 
LVL 6

Expert Comment

by:awaggoner
ID: 37795587
Definitely
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37796180
Agreed!  With an MPLS Internet circuit you will need to protect each network using the ASA firewalls and then create your site-to-site VPN tunnels.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37796240
For this configuration you do not want to use ANY to ANY rules.  Make sure to secure your network traffic based on your needs and traffic patterns.  Also, make sure you are NAT'ing your traffic.  Generally, you want to block all traffic and then allow only specific service ports and networks to pass through in your ACL configuration.  Also, define your static routes based on your traffic patterns.
0
 

Author Comment

by:mail_mave
ID: 37798577
Sounds good

The only question that remains is, referring to earlier posted  topology diagram.

On site A and B, we have a batch of public IPs /29 subnet. On site A I do have a couple of web servers which will require public IPs, now correct me if I'm wrong when I build a IPsec tunnel between site A and DC, only LAN A's traffic will be passed to LAN DC.

How can I pass the traffic from these public IP addresses to the DC??

Is GRE tunnel an answer ? Is it even possible with ASA 5510?
0
 

Author Comment

by:mail_mave
ID: 37821342
Well, IPsec tunnels seems to have resolved the lag issue, however some other issues remain.

I'll open up a new thread for discussion and I'd like to thank both the experts and awards them equal points.

Cheers,

Mail
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now