Dual IPsec with DHCP relay - best practice

Author
Jirka
Silver Member
  • Total Posts : 107
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2019/02/06 11:49:02 (permalink)
0

Dual IPsec with DHCP relay - best practice

Hi,
 
I'm starting to work on the design of a company's network upgrade and I need a little help with the best solution.
Current situation:
 
2x 100D HA A-P in headquarters (200Mbps) where is a Primary Domain Controller and couple of file servers (172.16.10.0/26)
 
13x branch, currently Cisco ASA 5510 (172.17.x.0 / 24)
 
Each branch have a primary 40Mbps line and a 4Mbps backup line. BGP provides ISP, so there is only one WAN line to the ASA. The branch is connected using IPsec to the  headquarters in the "0.0.0.0/0" configuration - all traffic from the branch goes to the headquarters  and performs UTM and NAT to public IP addresses.
 
Now, the ASA will be exchanged for the FG50E, a secondary location (FG200E 1Gbps) will be deploy and Next Domain Controller will be set up (yes, for 6 years, we run a domain with only one domain controller :( )
I needed to clarify how best to ensure access to the Next Domain Controller (DNS, DHCP) and the Internet if the HQ is unavailable.
 
1)      Create another IPsec tunnel from each branch to the secondary location
2)      Configure some dynamic routing, which will make redirection of all traffic to the second location when the HQ is unavailable?
3)      We use a DHCP relay at each branch to ensure that queries are passed between branch subnets and the subnet of the headquarters - allows FG to configure multiple DHCP servers in Relay settings?
 
Thank you very much for helpful advice!
 
Jirka
post edited by Jirka - 2019/02/06 13:27:17
#1

0 Replies Related Threads

    Jump to:
    © 2019 APG vNext Commercial Version 5.5