01-18-2015 09:18 PM - edited 03-05-2019 12:35 AM
I have a difficult problem...Please forgive my ignorance.
I have a consumer-grade router called a "Fritz!Box 7390" on the edge of our network (in Germany -- very capable, very popular little box).
Following are the telephony characteristics:
Next are the "WAN" characteristics:
Finally, the internal network specs on this device:
What I want to do (PLEASE tell me if I can't or if it's just too crazy):
What equipment I have in addition to the servers/NAS:
Right now everything works fine on the one common subnet. I tried splitting out the VLANs using the 881 and could ping everything from both sides but couldn't get the services to traverse to the "consumer" network, and, for example, couldn't get access from the Internet (or the consumer network) to the Exchange server. My Microsoft DNS also got messed up because of the subnet changes, though I think that was just a matter of letting things settle out for it to work. I was flummoxed.
I know I should be using a simple DSL modem on the edge and connecting that to the ASA, but I'm pretty sure that I can't easily mess up my telephony from Deutsche Telekom and I would lose my WAP.
Is there any way to keep this consumer network separate and add new VLANs/subnets for the business network? I actually have multiple PCs I'd like to have join the domain, but I can't really get there until I address this problem. I'd also like to get to lab devices over the Internet, even if that only means going through the 2511 terminal server.
If you think I should break up this post -- separate it out -- and/or post it in multiple communities, I'd be happy to. Just let me know.
Is there anyone who can help me with this thorny issue??
Regards,
jeremyNLSO
P.S. I can post the configs from the attempt with the 881 and 2960 if it's helpful...
01-19-2015 09:37 AM
Hello.
Reading through the description I thought of the following topics:
1. get rid off your current WAN VDSL device (or at least make it a bridge);
2. configure your ASA for routing, making it WAN-faced;
3. move your devices from current shared subnet to ASA.
Regarding the topic 1 - I'm not sure if you could decommission the box, as it terminates you phone lines and also is provided as managed service. I believe you either need a dedicated service for telephony and ethernet link, or you may ask you provider how to configure the box as a bridge, so your ASA device could have public IP-address.
I would recommend to buy static IP-address, so you wouldn't have to leverage on DynDNS. Also it might be worth to buy a subnet of public IP-addresses (like /29).
Regarding the topic 2 - you may configure your ASA as WAN-facing device, configure NAT and routing for current shared subnet; also you may start configuring other subnets.
ASA supports DNS doctoring, so it would be easier if you want to support split-DNS.
Also if you need HA for ASA, you would better look for 5510 or 5515 device.
PS: do not publish RDP service over NAT, as it's not safe! Always wrap RDP into VPN (ASA or router based) or SSL (RD Gateway).
04-20-2015 08:08 AM
I've been sick, in the hospital, and traveling overseas since the original post. Does anyone else have any ideas?
I have found out from the telecom provider that I can get a bridge on the edge, and then get ISDN configured separately for the telephone lines like it used to be.
Any additional thoughts?
Thanks in advance...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide