Solved: Re: Secure a Cisco Network

moses12315 · ‎11-23-2010

Dear madams/sirs

My company is upgrading its Network to Metro Ethernet E-lines. We have already made some tests

with old router such as 2600 series and they are ok.

Also my company is thinking of buying crypto IPsec devices (additional to IPsec of the Cisco Routers).

I would like to ask the following;

1. Those crypto devices should be installed between Router and Network provider devices or somewhere else? Some companies gave us a design

where those devices are installed between Router and Switch.Actually i don't understand how this design will work.

2. What should i take care that those devices should work perfect without delay or latency or causing feature problems to our network?

Thanks

Moses

PC. All our network devices are Cisco.

Federico Coto Fajardo · ‎11-24-2010

Moses,

As you stated, let's assume this scenario:

LAN -- switch --- ASA -- Router -- Internet

If you configure the ASA (or equivalent) for IPsec, you need to specify with ACLs the traffic to be protected (encrypted).

This ACLs normally are defined for traffic going to a remote site or VPN clients.

Since only the traffic specified in the ACLs are encrypted, other traffic (internet traffic) is not going to be affected by VPN.

The communication between the LAN and the router will still be in clear text (unless the source and destination of the packet matches the ACL configured to trigger the IPsec negotiations).

In other words...

Traffic that come from the LAN to the router (that won't match the crypto ACL in the ASA), won't trigger IPsec and will communicate fine between LAN and router (going through the ASA).

I hope it makes sense.

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-24-2010

Hi,

Are you considering ASAs?

ASA will be the firewall and VPN server.

You can place the ASA behind the internet router and protect the network.

There are different designs depending on your topology... but normally you will want the ASA to protect the internal LAN from the outside world and can use IPsec for VPN.

Federico.

moses12315 · ‎11-24-2010

Dear Federico,

thanks for the infrormation. Of course i am not talking about Cisco ASA but as you understood correctly something similar.

Lets consider that we are talking about the ASA and we are using it as a VPN server to create tunnels with IPsec.

Now lets consider that data are coming from the switch, then through ASA are encrypted and go to the router. Then the router

is routing them to the internet . Those packets can be routed since IP header is not encrypted.

Lets say that the router wants to exchange some information with the Switch. If the switch sends some data

then the router will receive them as encrypted and the router will not understand them.

As i consider the only way is to use Access-lists so only specific data should be encrypted and some other not.

I don't know if you agree with the above. I would like to listen to your feedback and opinion since i am not very familiar

with the security and ASA devices.

Thanks a lot for anything.

Moses

Federico Coto Fajardo · ‎11-24-2010

Moses,

As you stated, let's assume this scenario:

LAN -- switch --- ASA -- Router -- Internet

If you configure the ASA (or equivalent) for IPsec, you need to specify with ACLs the traffic to be protected (encrypted).

This ACLs normally are defined for traffic going to a remote site or VPN clients.

Since only the traffic specified in the ACLs are encrypted, other traffic (internet traffic) is not going to be affected by VPN.

The communication between the LAN and the router will still be in clear text (unless the source and destination of the packet matches the ACL configured to trigger the IPsec negotiations).

In other words...

Traffic that come from the LAN to the router (that won't match the crypto ACL in the ASA), won't trigger IPsec and will communicate fine between LAN and router (going through the ASA).

I hope it makes sense.

Federico.

moses12315 · ‎11-24-2010

Dear Federico

I think you solved my problem

Now i understand what's going on. Thanks a lot .

Moses