s a
asked on
Networking - VPN Tunnels question
Hey all, networking question.... we have a lot of IPSec VPN tunnels to outside vendors, customers, clients, etc.
So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security. I think this is how most people do it?
We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.
Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them. The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....
I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.
Any suggestions? Thanks
So the way we have done it is connect our public IP with their public IP and grant permissions to the relevant internal IPs/devices, using PSK (IkeV1 and IkeV2 or something) plus preshared keys for security. I think this is how most people do it?
We are moving to a few new IPs and maybe switch again a few years after that, and obviously everytime we switch ISPs we get new a new IP address block, and hence we have to reconfigure all the VPNs with all the customers, clients, etc because of this.
Is there a better way to do this? I know you can buy an IP block from ARIN and move this IP block between ISPs and hence don't have to continue reconfiguring them everytime we switch, but they only sell a /24 network and we definitely don't need 128 IPs, and you have to prove you need all of them. The nice way about this one is that it would also give us the ability to do BGP with an AS # (I think), and be easy to failover between ISPs should one go down and not have to worry about multiple ISP VPN tunnels and such....
I also heard there is a way to configure IPSec VPN tunnels to DNS names or something? Hence if I purchased a cloud DNS name (or an internal one, not sure), say outsidevpn.company.com, I can configure the IPSec VPN tunnels from the outside to this? So if we do switch IPs we don't have to worry about it since all the vendors would simply have the tunnel to outsidevpn.company.com? I don't know how BGP/failover would work, or if we still need Ikev1, Ikev2, etc.
Any suggestions? Thanks
ASKER
Thanks, could you give me more info? Can the ASAs and other networking brand or devices support names? Cisco TAC is telling me it is not possible.
Would a DNS server be something like Amazon AWS?
Would a DNS server be something like Amazon AWS?
Hi,
Of course ASA support names!!!
To cinfigure local host name and IP mapping, here is the command: ip host router1 172.31.1.1
To configure DNS name resolution, refer to the following link; https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting
For the DNS Server, for sure you have a domaine name!! this domain name is managed by your self and you have a DNS server? or it's managed by your ISP? in all cases an A record need to be defined in the DNS server.
For your info, in your VPN concentrator it's not mandatory to use local host name mapping or DNS resolution since your customers and clients whom will be affected by IP addresses changes, so if they have Cisco ASA appliances you can share the procedure to them otherwise can't help since devices brand unknown.
Best Regards.
Salah
Of course ASA support names!!!
To cinfigure local host name and IP mapping, here is the command: ip host router1 172.31.1.1
To configure DNS name resolution, refer to the following link; https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting
For the DNS Server, for sure you have a domaine name!! this domain name is managed by your self and you have a DNS server? or it's managed by your ISP? in all cases an A record need to be defined in the DNS server.
For your info, in your VPN concentrator it's not mandatory to use local host name mapping or DNS resolution since your customers and clients whom will be affected by IP addresses changes, so if they have Cisco ASA appliances you can share the procedure to them otherwise can't help since devices brand unknown.
Best Regards.
Salah
ASKER
Hi, we are considering getting 10GB switches (most likely copper) for our environment....
We currently have a few servers including a sql server that are experiencing some network related bottlenecks
There are a few servers that 'talk' mostly to each other (application to/from database servers) so we were planning on getting 10GB Nic cards for them and a 10GB switch to connect them to to increase throughput.
I was wondering though, if we kept the 1GB NICs for regular network connectivity and simply added 10GBE NICs for the servers and connected the servers directly to each other via the new two 10GBE NICs, would that work?
Also, what is the biggest difference between 10GBE and 10GBASE-T?
We currently have a few servers including a sql server that are experiencing some network related bottlenecks
There are a few servers that 'talk' mostly to each other (application to/from database servers) so we were planning on getting 10GB Nic cards for them and a 10GB switch to connect them to to increase throughput.
I was wondering though, if we kept the 1GB NICs for regular network connectivity and simply added 10GBE NICs for the servers and connected the servers directly to each other via the new two 10GBE NICs, would that work?
Also, what is the biggest difference between 10GBE and 10GBASE-T?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rebuild with 10GB!
Thanks
Thanks
Nice to hear about it!
If you plan to change your IPs in the future, it's better to use names instead of IP and the names can be managed either by a DNS server or sipmly local host mapping.
Best Regards.
Salah