Migrate from router to ASA

MarcoM · ‎12-08-2012

Hi all,

i am confused...please help.

I have two router Cisco 887 with vpn site-to-site:

Site A:

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key ********* address 85.34.AAA.AAA

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map CS1 local-address Loopback1

crypto map CS1 10 ipsec-isakmp

set peer 85.34.AAA.AAA

set transform-set strong

match address ACL_EXT

!

interface Loopback1

ip address 85.32.BBB.BBB 255.255.255.255

!

interface ATM0.1 point-to-point

ip address 85.34.2.XXX 255.255.255.252

ip nat outside

ip virtual-reassembly in

crypto map CS1

pvc 8/35

encapsulation aal5snap

!

Site B:

crypto isakmp policy 1

encr 3des

authentication pre-share

crypto isakmp key ********* address 85.32.BBB.BBB

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map CS1 local-address Loopback1

crypto map CS1 10 ipsec-isakmp

set peer 85.32.BBB.BBB

set transform-set strong

match address ACL_EXT

!

interface Loopback1

ip address 85.34.AAA.AAA 255.255.255.255

!

interface ATM0.1 point-to-point

ip address 85.34.14.YYY 255.255.255.252

ip nat outside

ip virtual-reassembly in

crypto map CS1

pvc 8/35

encapsulation aal5snap

!

I want to remove VPN configuration from the router and put VPN Configuration on Cisco ASA 5505.

The scheme would be: ASA5505(vpn site-to-site) -> 887 -> INTERNET this for both sites.

My problem is that I do not know what ip put on interface Outside of firewall.

For example on Site A delete all VPN configuration from 887 and leave only ATM0.1 point-to-point, on intereface Outside of ASA put ip of loopback(of router 887) and as default route 85.34.2.XXX. Right?

Thanks in advance.

Jouni Forss · ‎12-08-2012

Hi,

Unfortunately I havent played around that much with Cisco routers other than for very basic configurations and 3G implementations so I'm not upto date with most of the stuff.

I would imagine that it might be possible to do the following

Configure the current routers to bridge the connection between the WAN and LAN and actually configure the ATM0.1 Link networks IP to your firewall directly and use it for L2L VPN configurations (Possibly use the loopback IP for something else, I'm not sure why the actual interface IP isn't used for the VPN)

OR

Replace the Cisco887 altogether with some basic modem in bridged mode and like in the above case, configure the actual link network on the ASA5505

I'm not totally sure how the brigding is configured on a Cisco router. I guess it would be using the "bridge-group " command under both the interfaces to be bridged.

Before I can say anything for sure I would have to test this myself at work with some of our old routers. We don't use Cisco routes for DSL connections anymore. We use other devices (chosen by ISP) in front of Cisco routers or firewalls to provide the DSL connectivity only while other things are done on router/firewall.

- Jouni

MarcoM · ‎12-08-2012

Hi Jouni,

thanks for reply and solutions.

For second solution cannot replace with a modem, customer want leave cisco 887 only for ATM(connectivity) and place an Firewall ASA.

Than cannot configure in this way:

ASA interface Outside: 85.32.BBB.BBB(ip of loopbak) and Gateway 85.34.2.XXX (ip of ATM)

Dont work? Provider should know where is net 85.32.BBB.BBB /29 or not?

Thanks.

M

Jouni Forss · ‎12-08-2012

Hi,

I'm just wondering the role of the Cisco router after "all" its configurations are migrated to the ASA. You should be able to use a simple DSL modem in bridged mode to get the connection to your ASA and configure the link network between you an ISP (currently on ATM interface) directly to the ASA. Naturally would have to start using different public IP address for the L2L VPN which could cause problems unless you or someone else can handle the other location at the same time while doing the change so that theres minimal downtime.

Then again if you had a new modem and ASA configured already you could just swap devices and test the new setup and if things didnt work, change the Cisco router back there and try again later. I guess if you/customer want to keep the Cisco router in use for some purpose its pointless getting a DSL modem. I just imagine that there are better/easier devices to handle bringing the DSL connection to Ethernet than a Cisco router.

I dont think you can configure the Loopback IP directly to the ASA as you only have a single IP address. It would have to be atleast /31 subnet so you could configure IP for both ASA and Router from the same subnet and then point the default route towards the router from the ASA.

MarcoM · ‎12-08-2012

Hi Jouni,

customer want leave its router 887 only for adsl.

Customer now have on 887 ip for atm and loopback where point vpn site-to-site on separate subnet.

If you want attach config.

There is two range of address:

1) for ATM 85.34.2.XXX / 30

2) for vpn now use only one ip from subnet 85.32.BBB.BBB / 29

Thanks.

Jouni Forss · ‎12-08-2012

Hi,

If you actually have an /29 public subnet at your disposal then I would suggest

Configure /29 network between the ASA and C887
Assing the current Loopback IP to ASA and reserve one for the C887 interface towards ASA
- Rest of the subnets IP address could naturally be used in the ASA configurations if needed
Configure default route on ASA to use the C887 interface IP (of the /29 network) as the gateway address
ATM interface would continue to use the same IP address/subnet

- Jouni

MarcoM · ‎12-08-2012

Hi Jouni,

for example: If on ASA interface OUTSIDE use same ip of loopback on 887, than 85.32.BBB.BBB, and set defaut route on ASA to interface ATM dont work? ATM should know net /29 or not?

I'm forced to use a public ip on interface 887?

Jouni Forss · ‎12-08-2012

Hi,

If you are going to connect the ASA with the C887 router you will naturally need to configure a link network between them.

And since ASA will use its outside interface IP address for the L2L VPN it would naturally be best to use the public IP address range so you dont have to do somekind of workarounds on the device in front of the ASA. You CANT configure the ASA to use another interfaces IP address for the L2L VPN like you have done on the C887 currently.

It would just seem the simplest thing to me to configure the network /29 between the ASA and the Router C887.

IF you use the /29 network for Router to ASA connection and keep the /30 for the ATM interface, then naturally the Router C887 will see both of the networks as they are directly connected to the router.

Is there a specific reason why you wouldnt want to configure the /29 network between the ASA and C887 router? It would only take 2 IP addresses from that range to configure the link (and naturally the network/broadcast address are usually not used) Do you have a /29 network at both of the sites?

- Jouni

MarcoM · ‎12-08-2012

Hi,

thanks again for reply.

In both side are net /29.There is not reason, check with the customer the availability of other free addresses.

Than if i use your configuration can i use ip of firewall as peer for site-to-site because flow of traffic that come from ATM route to interface public of ASA. Right?

Summary for example is:

IP OUTSIDE ASA: 1.1.1.1

IP 887: 1.1.1.2

Default gateway for ASA is ip 1.1.1.2

Thanks.

M

Jouni Forss · ‎12-08-2012

Hi,

Yeah I dont see any problem with it.

So to go through the situation again

ATM interface IP address stays the same
- Therefore the default route from the routers perspective towards the ISP will stay the same
IF possible, you configure an IP address from the /29 network to a LAN interface on the router
- To that interface you connect the ASA firewalls outside
ASA firewalls outside interface is configured with the IP address that is currently in the Loopback (and is also part of the /29 network of the customer
- As the L2L VPN peer IP for this site stays the same naturally this doesnt require any changes to the other sites VPN configuraitons until you decide to change other sites setup to similiar as this

The traffic should flow normally to that IP address even though the setup changes abit. If the customer has the /29 network from the ISP the ISP is already routing it towards your customers DSL line. Instead of the Router C887 the traffic will still get forwarded to the ASA where the the actual L2L VPN peer IP is. The Router C887 will know this as it has the new interface configured with the network /29.

Ofcourse all that we have talked about here is just a small part of the whole thing. You have to configure the ASA, make changes to the router configurations and so on for all this to work.

- Jouni

John Peterson · ‎12-08-2012

Hi Marco,

One of the configuration I did was let the dialer interface get an IP address from the ISP set to dhcp. You would need when you configure a static address (from your ISP subnet) on the vlan 1. If I remember right all ports are on on same L2 switch on the router.

Create a static default router pointing to the dialer interface and the assigned one IP address to your firewall connecting it to your router and the firewall default route would be the IP address assigned to the 877 VLAN 1.

HTH

MarcoM · ‎12-08-2012

Hi John,

there isnt Dialer interface.

In my case on 887 i just leave only ATM interface, all other configuration(vpn site-to-site, acl,,etc..etc.) must be made on ASA. ASA should have a public ip address (from pool range of ip).

John Peterson · ‎12-08-2012

You should be able to create a dialer interface and then map to your ATM.

Have a look at this guide:

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/pppoanat.html