[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 562
  • Last Modified:

Internet Service for Branch Office

Hello Experts,
I am trying to come up with a good network design for my company's branch office.

Currently we have a main office with 800 users and branch office will have 30 users.
I have connected these two sites with Point to Point Wireless Bridge. Hence, the users are in same domain. The branch has a Cisco Switch configured with vlans and routing any traffic to the main office.

My major requirement.
I want to have branch office with a separate  and dedicated internet connection and simultaneously having access to the main office application. I want to have it this very securely, fast and optimum.

Our main office has Router in the edge, then ASA firewall and internal network.

What is the best solution to achieve this ?
0
cciedreamer
Asked:
cciedreamer
1 Solution
 
rauenpcCommented:
Get another ASA and install it at the branch office. configure either a static route or dynamic routing on the branch office switch to point at the new asa for internet-bound traffic. This assumes your branch office switch is a layer 3 switch and is being used as the gateway for the office.

Chances are you can get away with an ASA5505 Sec Plus so the cost won't be too high.
0
 
cciedreamerAuthor Commented:
First of all I appreciate your response.

What if get ADSL Cisco Router, connect to specific vlan and configure policy routing ? How about that ?

Samir
0
 
cciedreamerAuthor Commented:
Any updates.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Fred MarshallPrincipalCommented:
It's not clear to me why you are using/mention VLANs at the branch office.  So, I will ignore that for now.

I would strongly recommend keeping the configurations as much the same as makes sense to do.  Only important cost differences might change this view.  

So I would get another ASA of the same type if that's affordable and interface it to an ADSL modem in the branch office.

Apparently now you have the wireless link (or something connected to it) as the internet gateway for the branch.  This has to be changed of course.  

Now you have to deal with intersite routing.  When you say the sites are on the same domain, did you mean on the same subnet?  You have two choices it seems to me:

1) run broadcast traffic over the link.
2) use different subnets between offices.
0
 
cciedreamerAuthor Commented:
Sorry for the delay in response.
I would simplify my case. Currently I have connected the two buildings ( Main Office and Remote Site Office) with Point to Point Wireless Bridge. At remote site office I have layer 3 switch configured with 2 VLAN's for the staff and default static route to the wireless bridge at main office. The staff are taking domain services,application and internet service ( using main proxy server of main office).
Now I am thinking to segregate the internet services for the remote service.I want to provide them a DSL router to have there own internet access and at the same time having domain and application services from the main office.

Thanks.
0
 
kevinhsiehCommented:
You don't need a firewall at the branch office, just a router to connect the branch to Internet. What is the proxy server at the main site used for, and do you plan on providing that same functionality at the branch? You would need another proxy server at the branch. Just basic static routing is all you need.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Kevin may have picked up on something here that I have missed so I will try and choose my words carefully but I would not countenance any Internet connection that doesn't have a firewall in the middle of it.

I am guessing that the purpose of the change is to reduce the load over the 'bridge' by directing Internet traffic from the 'branch office' out of its own, local Internet connetction.

If this assumption is correct then an obvious question needs answering:
If the main site connection required a proxy and a firewall/router to be installed in order to protect the internal network then surely the same argument holds true for putting in another internet connection. as it will need to be protected to the same level.

Secondly, if you are introducing another Internet connection, I would also assume that you have considered the new options available such as failover/resiliency i.e. if the main internet connection ever failed, you could redirect the main site over to the new Internet connection for a short period until it was fixed. Again though, you would want the same level of protecxtion on the new Internet connection as on the primary.

Use of a proxy.pac file or equivalent would allow automated configuration of the clients based on source ip to the local Internet connection nearest to them (building A or building B).

Default gateway settings/dhcp scope will also configure the clients to point to the nearest Internet connection by default and static routes can be introduced so that internal building-to-building traffic (inter-domain) continues to use the 'bridge' as normal.

Keith
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now