1841 with ADSL modem, VPN continue to work if FW is added?

Unanswered Question
Aug 22nd, 2007

Hi,

In one branch office, We have 1841 that has ADSL modem connected to FA port. Behind the 1841 is the private LAN. The ADSL line (dynamic IP) is used for L2L VPN to connect to two sites and also to connect to Internet - browsing, downloading, etc.

WIC-1T card is also installed on the same router but it is still not used.

If we put ASA5505 behind the 1841, can the LAN users continue to use the VPN on the ADSL?

Given the new setup, my concern is that we might not be able to continue using the ADSL for VPN now that there will be two devices between the LAN and the Internet.

Our ADSL is faster than the serial so we wanted to keep the VPN and browsing connected that way and also start using the serial.

What combination statements do I have to enter in the ASA and 1841 for this particular requirement to work?

If buying and ADSL card will help or reduce the number of hops, I'm willing to do it.

1841#

interface FastEthernet0/0

description INSIDE

ip address x.x.124.73 255.255.255.248

ip policy route-map ADSL

interface FastEthernet0/1

description Outside-Connected to ADSL modem

ip address 20.20.20.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 20.20.20.1

access-list 110 permit ip host x.x.124.75 any

route-map ADSL permit 10

match ip address 110

set ip next-hop 20.20.20.1

ASA5505#

global (outside) 2 x.x.124.75

nat (inside) 2 10.10.10.0 255.255.255.0

static (inside,outside) x.x.124.78 dominoserver netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 x.x.124.73 1

Thanks.

Archie

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 08/22/2007 - 05:35

Hi Archie

In answer to your question yes there is no reason why the users cannot continue to use the 1841 for the VPN. Basic things you need to do

1) On the 1841 you will have crypto access-lists that defines what traffic should be sent down the VPN tunnels. As long as you make sure that the packets arriving from your ASA device match those access-lists the VPN will work fine.

If you NAT the LAN source addresses on your ASA then you will need to update your crypto access-lists on both the 1841 and the remote devices so it would make sense to have nat exemption on the ASA when traffic is meant to go down one of the VPN's

2) Add a default route to ASA pointing to inside interface of 1841.

3) Add route(s) for your LAN subnet(s) on the 1841 pointing to the ASA outside interface.

It should then work. If you were trying to allow out remote access VPN from the internal network with this new setup it would require more config but this is a L2L tunnel so it is relatively straightforward.

HTH

Jon

agcastle2000 Wed, 08/22/2007 - 08:59

Hi Jon,

Thanks for your reply.

1. I'm not sure if I understand what you said but I have this in my router.

You mean this has to be defined as well in the ASA?

access-list 100 remark IPSec rule (interesting traffic), Site1 to Site2

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec rule (interesting traffic), Site1 to Site3

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255

In this case, I have to add the following in the ASA. If this what you mean.

access-list nat0_acl extended permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list nat0_acl extended permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255

nat (inside) 0 access-list nat0_acl

2. This is what I'm going to put in the ASA. Right? x.x.124.73 is the inside interface of the router.

route outside 0.0.0.0 0.0.0.0 x.x.124.73 1

3. The outside interface of ASA is x.x.124.75 and LAN subnet is 10.10.10.0. I'm not sure what you mean here.

Grateful if you could provide example.

Thanks a lot.

Archie

Jon Marshall Wed, 08/22/2007 - 09:09

Archie

You have it pretty much spot on.

1) Leave your router access-lists as is and just add the nat exempt lines that you have above to your ASA.

2) Yes this is correct

3) On your 1841

ip route 10.10.10. 255.255.255.0 x.x.124.75

You need this otherwise the router will not know how to get back to the LAN.

Jon

agcastle2000 Sat, 08/25/2007 - 05:42

Hi Jon,

Many thanks.

I have to slightly deviate from the original question.

Do we have to be concerned about the traffic passing between the router and the new firewall which, in my understanding, is no longer encrypted?

Grateful if someone could shed some light.

Regards, Archie

agcastle2000 Tue, 08/28/2007 - 23:45

Hi,

Can someone provide an answer to my previous query on the security between the router and the firewall?

Thanks.

Archie

Jon Marshall Tue, 08/28/2007 - 23:55

Archie

Apologies, i meant to reply and got sidetracked !

You are correct in what you say in that the traffic going between your router and ASA device will no longer be encrypted. How much of a concern this is can really only be answered by your company, it's security policies and the importance of the data being encrypted.

On a more general note you would typically terminate the VPN on the ASA in the configuration you are proposing. Depending on your public addressing this can either be relatively easy or a little more challenging.

Presumably your ASA outside interface is using a private IP address so you would need to port forward the VPN ports through from your 1841 to the ASA device. Ideally you would want a public IP address on the outside interface of your ASA.

The other thing to take into account is do you need both an ASA and the 1841 router ? You could just run the IOS firewall feature set on your 1841 which is a fully stateful firewall and then you have no need of the ASA.

HTH

Jon

agcastle2000 Wed, 08/29/2007 - 00:28

Hi Jon,

Thanks for your speedy reply. (I thought the email notification is a mistake!). I'm glad that you took the efforts to continue this thread.

I have already configured the router to act as a firewall through Access List so if I could only allow inbound VPN traffic and other "wanted" traffic on the serial interface (when we have it) then it should be okay. What do you think?

On this site where 1841 is running, it all started as just a router (no firewall) with the ADSL modem as the link to Internet. VPN connections from 1841 to ASA5510 and to PIX515 in two other sites work well as well as the Internet browsing, downloading. The immediate requirement is that we have to connect this site to our HQ in Europe and their policy is to only accept from Cisco firewalls and only from static IP addresses. So we are forced to add an ASA device. My plan is to terminate the connection to HQ outside the ASA but continue with the ADSL on the existing connections to two sites.

You're right in saying that in setups like this, termination should be on the outside of the firewall. In fact, on the other two sites where the PIX and ASA5510 are installed the VPN are terminated on the outside interface of these devices.

The only reason why I wanted to retain the connection on the ADSL is because of the speed (and the cost). Internet Leased Lines (v.35) in our part of the world is too costly so I wanted to keep the speed of LL to a minimum (inbound connections only) and continue to use the VPN on ADSL.

Have a good day!

Regards,

Archie

agcastle2000 Wed, 08/29/2007 - 01:23

Hi ,

I just want to clarify a line in my previous post when I said that "it all started as just a router (no firewall)". What I mean is that there is no firewall device (ASA or PIX). The site has only the IOS firewall in 1841.

Thanks, Archie

Actions

This Discussion