C6509 with IPSEC/VPN SPA terminating GRE Tunnels to ASA5540 for Firewall

pabblitto1 · ‎07-10-2007

We currently have a Catalyst 6509 which terminates the IPSec/GRE tunnels. We would like to then connect our ASA5540 to this 6509 to inspect the traffic once the packets have been decrypted and then send it back again to the 6509 to route it to its final destination within the VLANs that reside in the 6509.

This is what we'd like to do: [WAN]-->[6509 IPSec SPA]-->[ASA5540]-->[6509 VLANs]-->servers

We've been trying to see how this can work for almost a month and still cannot come up with a solution.

If we were to use transparent, it requires that both VLANs (inside and outside) need to be on the same subnet. However, when I create the two subnets within the 6509, it refuses since the IP addresses overlaps.

Any ideas?

Thanks!

-Paul

Jon Marshall · ‎07-11-2007

Hi Paul

Not sure what you mean by address overlaps. You have two vlans but only one subnet.

ie. you have vlan 10 & 11 and one IP subnet 192.168.5.0/24

IPSEC SA (192.168.5.2) is in vlan 10. Layer 3 SVI (192.168.5.1) is in vlan 11.

The default gateway for the IPSEC SA is the layer 3 SVI.

You then bridge the 2 vlans together with the ASA device.

So the IPSEC SA would send the traffic to it's default gateway which has to go through the ASA to get there.

Have i misunderstood ?

Jon

pabblitto1 · ‎07-13-2007

Hi Jon,

Thanks for your suggestions, unfortunately, we have GRE/IPsec tunnels that end at the same 6509. So, when we route the traffic to the 5540, the packets ignore it since it just goes directly to the tunnel interface which are directly connected. We used PBR to force it to go to the 5540 but we get routing loops. I've worked with Cisco's tech support, both the routing group and the firewall group, and they couldn't find an answer. I also worked with our local Cisco Engineer and we couldn't come up with a solution either. In the end, it looks like we'll have to buy an additional switch to differentiate some of these functions. I.e. [WAN]->[6503 with VPN SPA]->[5540 F/W]->[6509]->VLANS

The problem is that we are using the 6509 to do IPSec/GRE tunneling, routing, and switching all in the same box. Now adding a firewall appliance into this configuration just doesn't seem to fit.

I'm attaching a drawing of our current setup w/o the 5540 in case anyone of you has an idea on how to incorporate this 5540 into our config. It's like playing a game of Horse where we have to route the packets "off the tree limb, off the gutter, off the backboard, and nothing but net!"

Thanks.

p-lees · ‎07-21-2007

Hi

Unfortunately i can't help you with your 5540 question, but i was hoping you could help me with a question as you seem very experienced witn the IPSec SPA. This may sound like a very simple question, but i am trying to terminate a single VPN on the SPA, and can't quite figure out how i should be configuring the SPA interfaces, and also my VLAN interfaces on the Cat.

I basically want to terminate the VPN on an outside VLAN (208) with a public IP address, and then forward the decrypted packets to an internal VLAN (207). I don't believe it can get much simpler than this. Please can you give me some guidance on how to set up the SPA interfaces, i.e. should i just put the public IP onto the 208 VLAN, and trunk that down to the SPA on one of it's interfaces (3/0/1 in my case), and then should i trunk the inside interface down the other SPA interface 3/0/2 ???

Your help would be appreciated.

Phil

pabblitto1 · ‎07-23-2007

Phil,

There are three ways you can terminate the VPN on the SPA. What you mentioned above is using the routed mode. You can also do it in the switched mode where you put the public ip address at your internal VLAN 207 and make your external VLAN 208 or external interface a Layer 2. In your case, you would need to:

1. Put your public IP address on VLAN 208.

2. Crypto connect this to your internal VLAN 207.

3. You then include your inside VLAN 207 into your 3/0/1 SPA in the trunk command, i.e. switch trunk allowed vlan 207

That should do it. I know that Cisco's documentation was pretty confusing at first.

Good luck.

-Paul