I have 3 production line that have about 10 different pieces of equipment on each line from different vendors each.
We want to supply SSL VPN access to each line and each piece of equipment so each vendor can only accesss this equipment. They have already started this project and they fired the contractor 50% finished due to conflicts so now I am picking it up.
Thay have this proposed setup ISP> Cisco ISR 887VA>Cisco ASA 5512-X> Cisco Catalyst Core Switch which each line plugs into. The controller of each line sits on the core switch and server subnet of each line and has a layer 3 switch to allow commas to all the equipment it controls.
So first question if they have the ASA is the ISR 887 VA even needed? Can't the routing be done in the ASA since it's not that much? Would that be better?
The only thing I see they gain with having the ISR in front of the ASA is that the ISR is setup to be the DSL modem in a way and the ISR can hanlde dual WAN connections (internet connections) but dual ISP's are not planned for this setup. Do they even need the ISR?
Second question is how will the routing be done? The networking equioment will be on 172.16.1.0-255 so I can setup the VPN to connect the VPN user based on the credentials to the core switch and server subnet of each line easily and being a layer 3 switch they would be able to see all 10 pieces of equipment to to the layer 3 switch routing for the controller but how could I make that extra hop and VPN them into only the 10.10.3.0-255 subnet for the bagger on line # 1 for example
Sample of network is below.
Line # 1 is 10.10.1.0-255 Core Switch and server subnet
10.10.4.10-255 Robot Cell
10.10.7.0-255 Conveyor System
10.10.8.0-255 Inspection System
Line # 2
10.11.1.0-255 Core Switch and server subnet
10.11.4.0-255 Robot Cell
10.11.7.0-255 Conveyor System
10.11.8.0-255 Inspection System