two internal networks and one external possible

Discuss and get help to implement a CacheGuard Gateway into your networks
Post Reply
axnav
Posts: 12
Joined: 08 Jan 2017 08:11

two internal networks and one external possible

Post by axnav »

Hi,

is it possible to handle two internal networks and one external network with a single cacheguard installation, which have three physically networkadapters?

Or do I need two cacheguard installations?

Kindly regards

Michael
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: two internal networks and one external possible

Post by david »

Hello Michael,

Regarding internal networks you can have as many networks as you want with a single CG appliance as soon as your networks can be routed (not necessarily connected) to CG. In most cases CG is used as the default gateway in substitution of the Internet router (or another gateway such as a firewall). The way you can implement CG in your environment depends on how your networks are connected to the Internet today? Could you please send me a network diagram or explain me your network topology?

Regarding the usage of CG by an external network, I need some clarification. What do you mean by external? Is a network on the public Internet, on a WAN or connected via a VPN? In any case in forwarding mode (CG protects end-users), for security reasons end-users should be routed to the internal network interface of CG (regardless of being located on an internal or external network).

I look forward to having your answers so I can help you more.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
axnav
Posts: 12
Joined: 08 Jan 2017 08:11

Re: two internal networks and one external possible

Post by axnav »

Hello David,

Thank you for your quick response.
Actually I have between our two internal networks no route.

We have 2 Cisco ASA Firewalls 5525-X and a 5505.

The 5525-x serves these Networks:
LAN 10.11.0.0 /16 --> Here I would place the first Internal Network Interface of Cacheguard
DMZ 10.5.1.0 / 24 --> Here I would place the External Network Interface of Cacheguard
Public Internet


The 5505 serves these Networks:
GuestWirelessDevices 172.42.0.0 / 16 --> Here I would place the second Internal Network Interface of Cacheguard
Public Internet


Finally goal:

The https/http traffic of both internal networks should flow over cacheguards external Interface in DMZ outside to public Internet.

Kindly regards,

Michael
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: two internal networks and one external possible

Post by david »

Thanks for the clarifications Michael. Now I see what the external network is (I assume your DMZ, right?).

Could you please tell me how your Cisco firewalls are connected to your Internet router(s)? Do you have a single Internet router or two? Is your Cisco 5505 connected to your DMZ (10.5.1.0 / 24) or it uses another network to connect to your Internet router?

My understanding is that in your proposed architecture CG is implemented in parallel with your firewalls. A better solution would be to chain CG with your firewalls to have a double layer security.

Also please note that you can route as many network as you want via CG but CG has a single internal network interface. Therefore the solution would be to create a new connectivity network shared between your two Cisco routers and the internal network interface of CG (a /29 is sufficient). In such an architecture the external network interface of CG can be directly connected to your DMZ. But to avoid any asymmetric routing a better solution would be to create a second connectivity network for the external network (shared between your two Cisco firewalls and the external network interface of CG). The rest is a matter of routing configuration.

Another key question is that do you intend to implement CG in transparent mode or in explicit mode? (in transparent mode HTTP traffic are transparently intercepted by CG without the need for end-users to specify CG as a Web proxy in Web browsers).

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
axnav
Posts: 12
Joined: 08 Jan 2017 08:11

Re: two internal networks and one external possible

Post by axnav »

Hi David,

our internetprovider supplies us with an hp-switch and a routeable public IP-range. Both ASA firewall have on their public interface an IP-adress from this range.

Thank you for the additionally feedback, I changed the proposed architecture for implementing CG:

I would create an internal link/route between both firewalls, so it would be possible to reach the CG from second ASA internal network.

Yes, I intend to implement CG in transparent mode, but this decision is still open, dueto the efforts.

You helped me a lot with your hints, I can start with the planning/sizing now.

Have a nice day.

Kind regards,

michael
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: two internal networks and one external possible

Post by david »

Dear Michael,

It was a pleasure to help you. Thank you for sharing your inquiry. I'm sure that you our discussion on this topic will help other users in the future.

If you have any other questions please feel free to post them on our forum.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: two internal networks and one external possible

Post by charles »

Hi,

Maybe the following network diagram could help to better understand the target architecture:
CacheGuard-Internet-Access-Point.jpg
CacheGuard-Internet-Access-Point.jpg (31.74 KiB) Viewed 28230 times
Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com
Post Reply