04-18-2013 11:55 AM - edited 03-11-2019 06:31 PM
We installed a new ASA 5515 about a month ago for the corporate office we also have 40 branch locations that feedback VOIP, camera, and Citrix to the corp location. Each of the branch locations have a separate DSL connection with a local provider and all of them are dynamic IP addresses.
~
The problem I have is that I cannot figure out a access rule to make the voip traffic work 100% of the time what ends up happening is five or six random locations change IP address's every day and I could not figure out how to create a access rule for that so I create a static route with that dynamic IP and then it will change a week or so later. That's a horrible security risk and a lot of manual work.
Is there something better within the ASA that I can do to fix this issue?
04-18-2013 12:02 PM
Hi,
So you are saying that the branch offices are using basic DSL connections which use DHCP and they are connecting to your central site servers with that DHCP IP address?
I guess one of choises would be to configure VPN between the branches and the central site. Then the branch sites could communicate with the central site with the actual LAN device IP addresses for which rules could be made and there would be no need to constantly change the rules.
If the branch devices were ASA/PIX firewalls for example, you could configure them as Hardware VPN clients and then the DHCP IP address wouldnt really matter. The branch site firewall could form the VPN connection with central site no matter what its public IP address was.
Ofcourse when we are talking about 40 branch offices, if you dont already have devices capable of VPN there and/or you have a multitude of different devices types at the branch internet edge then this might be a time consuming operation.
Or are you perhaps using ASA/PIX firewalls also on the branch sites?
By the way, what do you mean with the static routes? If they are connecting through the Internet then wont the default route on the central ASA already handle the routing towards those sites no matter what their public IP address. Or did I understand your setup wrong somehow?
- Jouni
04-18-2013 12:10 PM
Actually, it's better to use some kind of remote-access VPN between the peers and head office. In that case you won't have to bother yourself with filtering of packets based on the public IPs on the peers. It will solve any filtering issues you have now and there won't be any routing problems between sites, due to the RRI.
If not vpn, another option, although it's not a good one)) is to use FQDN in ACLs configurations, but it has pretty big limitations (related to timing) and i doubt that it may be implemented to your case.
So, to my understanding, the only option is to use RAVPN.
04-18-2013 12:32 PM
Each of the branch locations has a DSL modem, mostly AT&T or comcast but there is some odd balls since there spread out across the state of Missouri. From there we have a NetGear switch to add ports, a VOIP phone, thin client running citrix, fax machine, DVR for recording the camera's in each store, and a a network printer.
At the moment the boss is very resistant to add a new device like a ASA or Meraki because of costs.
~
I've been going into ASDM: Device Setup: routing: Static Routes and creating a route on the Voip interface with the dynamic IP of the store to punch it through the ADA but that's a horrible practice.
~
I'm wondering if I could install the AnyConnect client on Citrix and have them use the VPN connection that way?
EDIT: Well that was a stupid thing to wonder That would only effect the citrix traffic (loan application software primarily) and not the voip traffic since it's not on the thin client. Sorry about that.
04-18-2013 12:49 PM
Hi,
To really connect the whole branch network to the central site you would need some sort of network device that forms the VPN connection with the central site.
I would imagine in your case even the ASA5505 would do and it would be the cheapest model. But again with 40 branch offices it would still add up to quite a big amount of money. Latest price I have on the ASA5505 (Base License/10 User) 350-600$
I am not sure if the Small Business products could provide the same capabilities any cheaper. I have never handled those devices.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide