Solved

Internet Service for Branch Office

Posted on 2013-01-11
9
477 Views
Last Modified: 2013-02-06
Hello Experts,
I am trying to come up with a good network design for my company's branch office.

Currently we have a main office with 800 users and branch office will have 30 users.
I have connected these two sites with Point to Point Wireless Bridge. Hence, the users are in same domain. The branch has a Cisco Switch configured with vlans and routing any traffic to the main office.

My major requirement.
I want to have branch office with a separate  and dedicated internet connection and simultaneously having access to the main office application. I want to have it this very securely, fast and optimum.

Our main office has Router in the edge, then ASA firewall and internal network.

What is the best solution to achieve this ?
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38767894
Get another ASA and install it at the branch office. configure either a static route or dynamic routing on the branch office switch to point at the new asa for internet-bound traffic. This assumes your branch office switch is a layer 3 switch and is being used as the gateway for the office.

Chances are you can get away with an ASA5505 Sec Plus so the cost won't be too high.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38768039
First of all I appreciate your response.

What if get ADSL Cisco Router, connect to specific vlan and configure policy routing ? How about that ?

Samir
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38771694
Any updates.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 26

Expert Comment

by:Fred Marshall
ID: 38772408
It's not clear to me why you are using/mention VLANs at the branch office.  So, I will ignore that for now.

I would strongly recommend keeping the configurations as much the same as makes sense to do.  Only important cost differences might change this view.  

So I would get another ASA of the same type if that's affordable and interface it to an ADSL modem in the branch office.

Apparently now you have the wireless link (or something connected to it) as the internet gateway for the branch.  This has to be changed of course.  

Now you have to deal with intersite routing.  When you say the sites are on the same domain, did you mean on the same subnet?  You have two choices it seems to me:

1) run broadcast traffic over the link.
2) use different subnets between offices.
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 38792514
Sorry for the delay in response.
I would simplify my case. Currently I have connected the two buildings ( Main Office and Remote Site Office) with Point to Point Wireless Bridge. At remote site office I have layer 3 switch configured with 2 VLAN's for the staff and default static route to the wireless bridge at main office. The staff are taking domain services,application and internet service ( using main proxy server of main office).
Now I am thinking to segregate the internet services for the remote service.I want to provide them a DSL router to have there own internet access and at the same time having domain and application services from the main office.

Thanks.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 38847859
You don't need a firewall at the branch office, just a router to connect the branch to Internet. What is the proxy server at the main site used for, and do you plan on providing that same functionality at the branch? You would need another proxy server at the branch. Just basic static routing is all you need.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 38848182
Kevin may have picked up on something here that I have missed so I will try and choose my words carefully but I would not countenance any Internet connection that doesn't have a firewall in the middle of it.

I am guessing that the purpose of the change is to reduce the load over the 'bridge' by directing Internet traffic from the 'branch office' out of its own, local Internet connetction.

If this assumption is correct then an obvious question needs answering:
If the main site connection required a proxy and a firewall/router to be installed in order to protect the internal network then surely the same argument holds true for putting in another internet connection. as it will need to be protected to the same level.

Secondly, if you are introducing another Internet connection, I would also assume that you have considered the new options available such as failover/resiliency i.e. if the main internet connection ever failed, you could redirect the main site over to the new Internet connection for a short period until it was fixed. Again though, you would want the same level of protecxtion on the new Internet connection as on the primary.

Use of a proxy.pac file or equivalent would allow automated configuration of the clients based on source ip to the local Internet connection nearest to them (building A or building B).

Default gateway settings/dhcp scope will also configure the clients to point to the nearest Internet connection by default and static routes can be introduced so that internal building-to-building traffic (inter-domain) continues to use the 'bridge' as normal.

Keith
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question