Hello Jon,

Thanks for your interest. Here is the clari for your queries

1) What is the firewall ie. make and if cisco  version of code it is running

CISCO ASA 8.0

2) Are you running a dynamic routing protocol between the branch sites and the hub

STATIC

3) Are the branch sites subnet summarisable

YES

4) Are you planning on using subinterfaces on the firewall or just one physical interface for all traffic

AT THIS POINT I DONT HAVE ANY IDEA. IF SUBINTERFACE IS THE ONLY SOLUTION, THEN I HAVE TO DO THAT

Hope this info is sufficient for further discussion. Please note, This is in design stage. Based on your solution the Low level design will be done

sairam

Hello Sairam,

this kind of constrained connectivity can be achieved using VRFs:

each branch site will be in a VRF.

Traffic coming from branch1 is routed to an ASA subinterface that is mapped to a vlan subinterface in same VRF on the router.

Another VRF is used for the second branch office.

ip VRF branchA

rd 100:101

int  ser0/0

ip vrf forwarding branchA

ip address x1.y1.z1.k1 255.255.255.252

int fas0/0.n1

enc dot1q n1

ip vrf forwarding branchA

ip address l1.m1.n1.o1 255.255.255.252

ip route vrf branchA  remote-siteA summary mask ser0/0

ip route vrf branchA  0.0.0.0 0.0.0.0 l1.m1.n1.asa1

ip VRF branchB

rd 100:102

int  ser0/1

ip vrf forwarding branchB

ip address x2.y2.z2.k2 255.255.255.252

int fas0/0.n2

enc dot1q n2

ip vrf forwarding branchB

ip address l2.m2.n2.o2 255.255.255.252

ip route vrf branchB  remote-siteB summary mask ser0/1

ip route vrf branchB  0.0.0.0 0.0.0.0 l2.m2.n2.asa2

A more classic solution would involve the usage of multiple PBR.

Hope to help

Giuseppe

Hello Sairam,

In addition to Giuseppe's VRF example, here is an example for PBR solution:

1-Create an access list that matches your internal network

T-1(config)#ip access-list extended 111
T-1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 any

2-Create a route map and specify your match and set clause
T-1(config)#route-map test-pbr
T-1(config-route-map)#match ip address 111
T-1(config-route-map)#set ip next-hop 192.168.1.2

3-Apply the route map to the interface of the router facing the FW
T-1(config-if)#ip policy route-map test-pbr

HTH

Reza

snarayanaraju wrote:
Hello Jon,
Thanks for your interest. Here is the clari for your queries
1) What is the firewall ie. make and if cisco  version of code it is running
CISCO ASA 8.0
2) Are you running a dynamic routing protocol between the branch sites and the hub
STATIC
3) Are the branch sites subnet summarisable
YES
4) Are you planning on using subinterfaces on the firewall or just one physical interface for all traffic
AT THIS POINT I DONT HAVE ANY IDEA. IF SUBINTERFACE IS THE ONLY SOLUTION, THEN I HAVE TO DO THAT
Hope this info is sufficient for further discussion. Please note, This is in design stage. Based on your solution the Low level design will be done
sairam

Sairam

As Giuseppe says you can use VRFs as a a solution. There are a couple of other solutions that you may want to think about -

1) Again as Giuseppe mentioned PBR (Policy Based Routing) could be used to send the traffic to the ASA firewall

2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA. This is why i asked about the routing between each site. Between the HQ router and the ASA have 2 subinterfaces and route the branch traffic via the subinterfaces.

All 3 would work for you. Using VRFs is the modern approach to segregating traffic across the same physical infrastructure but if your kit cannot support it or you do not want the complexity there are alternative approaches.

Jon

Hi Jon

i m only wondering if we use :

"2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA"

i think this will form a route loop because traffic will come from banchA to branchB going through the hub,  the hub will have the route to branchB point to the ASA and then the ASA will route it back the hub router and the router will route back to the ASA !!!

am i right or i misundersood your point !!

i think VRFs will be the best even better than PBR because it will put less CPU utilization

thank you

Thanks to Giuseppe, Jon, marwanshawi

Your suggestion are very useful. Jon suggested to use PBR. But I expect It will create route loop between ASA and HUB Router. So I am going to use VRFs.

Each Branch office will be in different VRF. Instead of sub-interface in ASA I am going to use dedicated physical interface itself. Each Interface in HUB Router which is connected to ASA will also be in different interface.I will use BGP to route between VRFs (Route Leak between VRF).

I will update this post after testing this in Lab. Before that if you have any comments please let me know

Thanks again

sairam

Hello Sairam,

>> I will use BGP to route between VRFs (Route Leak between VRF).

if you do so the risk is that the firewall can be bypassed and the advantage of VRFs would be lost, an additional VRF for central site itself may be needed I was thinking of this, this depends if central site is behind the ASA or connected to another interface of the router.

Also I would use a logical interface for each branch/VRF in connecting to the ASA it should help.

Edit:

However, in the lab you can test the scenario. Keep us updated.

Hope to help

Giuseppe

i think if you just do the configurations posted by Giuseppe above your life will be easier as with static routing and two VRFs your goal will be achieve without any complexity

also i don't think you need any route leaking because any sort of leaking that mean bypassing the firewall which is not your requirment unless you want to excluded some traffic from being firewalled in this case route leaking will be an option

thank you

marwanshawi wrote:
Hi Jon
i m only wondering if we use :
"2) However, as you use static routing an even easier way is simply on your HQ router have routes for the branch sites pointing to the ASA"
i think this will form a route loop because traffic will come from banchA to branchB going through the hub,  the hub will have the route to branchB point to the ASA and then the ASA will route it back the hub router and the router will route back to the ASA !!!
am i right or i misundersood your point !!
i think VRFs will be the best even better than PBR because it will put less CPU utilization
thank you

Marwan

I am hanging my head in shame

You are of course quite right and i should have thought that one through a bit more. No excuses, just very basic mistake. Thanks for correcting.

Sairam - apologies for the answer.

Jon

no problem Jon

it happens, especially when there are many posts to answer

Hi Friends,

I tested this. It is working perfectly when VRFlite is used. Let me just brief the config logic.

I have used 2 interfaces of the firewall connected to HUB Router. Each Branch offices will be in different VRFs. Similarly Each interface connected to Firewall will also be in different VRFs.

Spoke 1 : VRF Name=S1

Spoke 2:  VRF Name=S2

Interface 1 to Firewall =FW1

Interface 2 to Firewall=FW2

I am importing FW1 routes to S1 and S2. Importing S1 & S2 Routes to FW2. Hope it is not confusing.

If required I am happy to post the config also

HTH

sairam

as long as it working that's fin

but i think you can achieve same goal with two VRFs only

in the hub assign S1 to site 1 and interface FW1 to FW interface in VRF1

assign S2 and FW2 interface to VRF2

this way your troubleshooting in the future or any additional site to be added will be easier

can post the hub config i want to see it how its configured with 4 VRFs