Revision as of 11:56, 25 May 2014

ASA 1

ASA1 is the responsible of analysing and filtering all the connections originated in Internet which want to reach the CNOC. At the same time it creates an IPsec VPN (layer 3) connections to all ASA-Africa devices in order to provide communication between CNOC and end-users, CPEs and BSs sitting behind ASA-Africa device. All the traffic to Internet generated by end-users behind ASA2 will go through it. At the same time, it will prevent any connection to the Internet generated by the CNOC, the Application Server and other equipment like BSs or CPEs. The next Figure shows how it will be connected.

Required capabilities

1. Two VLAN
   1. VLAN 1 for inside
   2. VLAN 2 for outside
2. Minimum of two interfaces, up to three
   • If Internet and VSAT are connect trough the same interface
     1. Ethernet 0/0 for outside (Internet & VSAT)
     2. Ethernet 0/1 for inside (CNOC)
   • If Internet and VSAT are connect trough different interfaces
     1. Ethernet 0/0 for outside (Internet)
     2. Ethernet 0/1 for outside (VSAT)
     3. Ethernet 0/2 for inside (CNOC)
3. NAT for traffic originated by CNOC (inside --> outside)
4. Ping functionality from inside to outside (inside --> outside)
   1. echo
   2. echo-reply
   3. time-exceeded
   4. unreachable
   5. traceroute

Configuration

Modules for SPAM filtering

CISCO VPN sec

Botnet traffic filter by CISCO

ASA5505-BOT-1YR=

Discussion

Virus interface should be at the ASA-Africa which is in Congo. The challenge then is that every satellite ground station needs an own ASA.

Return to the Technology page.