Hi,
is it possible to handle two internal networks and one external network with a single cacheguard installation, which have three physically networkadapters?
Or do I need two cacheguard installations?
Kindly regards
Michael
two internal networks and one external possible
Re: two internal networks and one external possible
Hello Michael,
Regarding internal networks you can have as many networks as you want with a single CG appliance as soon as your networks can be routed (not necessarily connected) to CG. In most cases CG is used as the default gateway in substitution of the Internet router (or another gateway such as a firewall). The way you can implement CG in your environment depends on how your networks are connected to the Internet today? Could you please send me a network diagram or explain me your network topology?
Regarding the usage of CG by an external network, I need some clarification. What do you mean by external? Is a network on the public Internet, on a WAN or connected via a VPN? In any case in forwarding mode (CG protects end-users), for security reasons end-users should be routed to the internal network interface of CG (regardless of being located on an internal or external network).
I look forward to having your answers so I can help you more.
Best Regards,
Regarding internal networks you can have as many networks as you want with a single CG appliance as soon as your networks can be routed (not necessarily connected) to CG. In most cases CG is used as the default gateway in substitution of the Internet router (or another gateway such as a firewall). The way you can implement CG in your environment depends on how your networks are connected to the Internet today? Could you please send me a network diagram or explain me your network topology?
Regarding the usage of CG by an external network, I need some clarification. What do you mean by external? Is a network on the public Internet, on a WAN or connected via a VPN? In any case in forwarding mode (CG protects end-users), for security reasons end-users should be routed to the internal network interface of CG (regardless of being located on an internal or external network).
I look forward to having your answers so I can help you more.
Best Regards,
Re: two internal networks and one external possible
Hello David,
Thank you for your quick response.
Actually I have between our two internal networks no route.
We have 2 Cisco ASA Firewalls 5525-X and a 5505.
The 5525-x serves these Networks:
LAN 10.11.0.0 /16 --> Here I would place the first Internal Network Interface of Cacheguard
DMZ 10.5.1.0 / 24 --> Here I would place the External Network Interface of Cacheguard
Public Internet
The 5505 serves these Networks:
GuestWirelessDevices 172.42.0.0 / 16 --> Here I would place the second Internal Network Interface of Cacheguard
Public Internet
Finally goal:
The https/http traffic of both internal networks should flow over cacheguards external Interface in DMZ outside to public Internet.
Kindly regards,
Michael
Thank you for your quick response.
Actually I have between our two internal networks no route.
We have 2 Cisco ASA Firewalls 5525-X and a 5505.
The 5525-x serves these Networks:
LAN 10.11.0.0 /16 --> Here I would place the first Internal Network Interface of Cacheguard
DMZ 10.5.1.0 / 24 --> Here I would place the External Network Interface of Cacheguard
Public Internet
The 5505 serves these Networks:
GuestWirelessDevices 172.42.0.0 / 16 --> Here I would place the second Internal Network Interface of Cacheguard
Public Internet
Finally goal:
The https/http traffic of both internal networks should flow over cacheguards external Interface in DMZ outside to public Internet.
Kindly regards,
Michael
Re: two internal networks and one external possible
Thanks for the clarifications Michael. Now I see what the external network is (I assume your DMZ, right?).
Could you please tell me how your Cisco firewalls are connected to your Internet router(s)? Do you have a single Internet router or two? Is your Cisco 5505 connected to your DMZ (10.5.1.0 / 24) or it uses another network to connect to your Internet router?
My understanding is that in your proposed architecture CG is implemented in parallel with your firewalls. A better solution would be to chain CG with your firewalls to have a double layer security.
Also please note that you can route as many network as you want via CG but CG has a single internal network interface. Therefore the solution would be to create a new connectivity network shared between your two Cisco routers and the internal network interface of CG (a /29 is sufficient). In such an architecture the external network interface of CG can be directly connected to your DMZ. But to avoid any asymmetric routing a better solution would be to create a second connectivity network for the external network (shared between your two Cisco firewalls and the external network interface of CG). The rest is a matter of routing configuration.
Another key question is that do you intend to implement CG in transparent mode or in explicit mode? (in transparent mode HTTP traffic are transparently intercepted by CG without the need for end-users to specify CG as a Web proxy in Web browsers).
Best Regards,
Could you please tell me how your Cisco firewalls are connected to your Internet router(s)? Do you have a single Internet router or two? Is your Cisco 5505 connected to your DMZ (10.5.1.0 / 24) or it uses another network to connect to your Internet router?
My understanding is that in your proposed architecture CG is implemented in parallel with your firewalls. A better solution would be to chain CG with your firewalls to have a double layer security.
Also please note that you can route as many network as you want via CG but CG has a single internal network interface. Therefore the solution would be to create a new connectivity network shared between your two Cisco routers and the internal network interface of CG (a /29 is sufficient). In such an architecture the external network interface of CG can be directly connected to your DMZ. But to avoid any asymmetric routing a better solution would be to create a second connectivity network for the external network (shared between your two Cisco firewalls and the external network interface of CG). The rest is a matter of routing configuration.
Another key question is that do you intend to implement CG in transparent mode or in explicit mode? (in transparent mode HTTP traffic are transparently intercepted by CG without the need for end-users to specify CG as a Web proxy in Web browsers).
Best Regards,
Re: two internal networks and one external possible
Hi David,
our internetprovider supplies us with an hp-switch and a routeable public IP-range. Both ASA firewall have on their public interface an IP-adress from this range.
Thank you for the additionally feedback, I changed the proposed architecture for implementing CG:
I would create an internal link/route between both firewalls, so it would be possible to reach the CG from second ASA internal network.
Yes, I intend to implement CG in transparent mode, but this decision is still open, dueto the efforts.
You helped me a lot with your hints, I can start with the planning/sizing now.
Have a nice day.
Kind regards,
michael
our internetprovider supplies us with an hp-switch and a routeable public IP-range. Both ASA firewall have on their public interface an IP-adress from this range.
Thank you for the additionally feedback, I changed the proposed architecture for implementing CG:
I would create an internal link/route between both firewalls, so it would be possible to reach the CG from second ASA internal network.
Yes, I intend to implement CG in transparent mode, but this decision is still open, dueto the efforts.
You helped me a lot with your hints, I can start with the planning/sizing now.
Have a nice day.
Kind regards,
michael
Re: two internal networks and one external possible
Dear Michael,
It was a pleasure to help you. Thank you for sharing your inquiry. I'm sure that you our discussion on this topic will help other users in the future.
If you have any other questions please feel free to post them on our forum.
Best Regards,
It was a pleasure to help you. Thank you for sharing your inquiry. I'm sure that you our discussion on this topic will help other users in the future.
If you have any other questions please feel free to post them on our forum.
Best Regards,
Re: two internal networks and one external possible
Hi,
Maybe the following network diagram could help to better understand the target architecture:
Best Regards,
Maybe the following network diagram could help to better understand the target architecture:
Best Regards,