Solved: Configuration options ASA 5512 + 1921 with 2 wan interfaces

Robert Peck · ‎12-30-2013

Hey all, I was hoping maybe someone could point me in the right direction for a configuration that makes sense for this setup. We have an existing DSL line that I moved from a Netopia modem to an HWIC on the 1921. This DSL is 1483 bridged with 5 static IP’s, one of those IP’s is the outside interface of the ASA 5512. This interface has 30-40 mobile users that VPN in from time to time. Recently I’ve gotten complaints that the VPN is really slow, looking into more bandwidth options and really had none, except Verizon 4G LTE. So, I added a 4G LTE HWIC with a static Verizon IP (still “negotiated” so it can’t be bridged) to the 1921 router. I would like to use the 4G for a new site-site VPN and any future remote VPN users, as well as primary internal internet bandwidth, keeping the DSL in place as just the already configured remote users VPN termination.

The 1921 is IP-Base, I need all VPN’s to terminate at the ASA. What is my best approach here? I’m kind of lost on what exactly my options are. Please see the diagram, this is how it is currently setup, basically the 4G is doing nothing right now. I am not really sure what my best options are. PBR on the 1921? 2 outside interfaces on the ASA?

Thank You.

Jon Marshall · ‎12-30-2013

Robert

Okay, having read the ASA config guide it looks like you cannot mix remote access VPNs and site-to-site VPNs through the same NAT/PAT device so you would definitely not be able to run both through the new link but you can run one or other which is fine as we are just running the site-to-site VPN down the new link. Note i'm assuming you know how to setup the site-to-site VPN so i'm just adding the extra bits needed.

One other thing. You should test this out of hours as it may break things or not work. I can't guarantee anything as i don't know the rest of your setup so be careful as you go. I'l outine the steps with some options and some config, Firstly i would try setting up the PBR/NAT for the new link and don't do any config for the site-to-site VPN until that is working so -

1) Define your acls for PBR and NAT.

If it is relatively simple to define general internet access + remote site-to-site VPN peer IP then you can do this. If you can then you can use the same acl for both PBR and NAT. Note even though it is the same acl i would recommend having an acl 101 and an acl 102, one for PBR and one for NAT so you can see the hits per acl which can be helpful for troubleshooting.

If it is not easy then you can do the opposite and use the acl to define the remote access VPN traffic. If you do this the acls are slightly different ie. the acl for PBR permits all IPSEC. (note there is no need to worry about the IPSEC for the site-to-site as this will be encapsulated in UDP port 4500 packets due to NAT-T). For NAT you need to deny all IPSEC traffic because we only want to NAT new link traffic.

Lastly if you can define general access + site-to-site then the config can be applied without any affect on the remote access VPNs.

2) The default route on the 2921. If your PBR configuration matches general internet + site-to-site VPN then leave the default route as is (i'm assuming it already points to the next hop IP of the existing link). If your PBR matches remote access VPN traffic then you would need to change the default route to the new link.

3) PBR + NAT config.

ip nat inside source list interface cellular0/0/0 overload <-- this is for all other traffic down the new link. Note is the acl you defined for the NAT traffic.

route-map PBR permit 10

match ip address <--- this is the acl defined for PBR

set ip next-hop x.x.x.x <-- where x.x.x.x is the next hop IP dependant on which traffic you are matching

4) configure the 2921 interfaces for NAT ie.

int gi0/0

ip nat inside

int cellular0/0/0

ip nat outside

The above should mean all internet traffic (non remote access VPN) should go via the new link. You can test with ping/traceroute/whatismyip.com etc. to make sure it is working.

Once you have this working then you can do the following for the site-to-site VPN tunnel -

5) Enable NAT-T on the ASA -

asa(config)# crypto isakmp nat-traversal 3600

this is need for the site-to-site VPN because it is going through a NAT/PAT device. Note this should not affect your existing remote access VPNs but definitely do out of hours.

6) on the 2921 router -

ip nat inside source static udp 4500 interface cellular0/0/0 4500 <--- this is need for NAT-T UDP 4500 ports

I think that should do it. A lot of it depends on your acls and how you define which traffic to use for PBR and NAT and i wanted to make it easier if you found you couldn't define internet access easily. I have also assumed you want to re NAT the general internet access traffic on the router ie. leave the ASA config alone.

Like i said, i would leave the site-to-site VPN tunnel until after you have got the other stuff working.

Jon

View solution in original post

Jon Marshall · ‎12-30-2013

Robert

Another interface on the ASA will not help because the ASA cannot do PBR so it would have no idea of which interface to use unless you knew all the public IPs of the remote access VPNs.

In fact that is your biggest problem. How are you going to discrimate between existing remote access VPNs and new ones as they can connect from any public IP and even if you know the range of public IPs could you tell which ones were meant to use the new link and which the old ?

The easiest and simplest solution is to use the new line for general internet access and leave the existing link for all VPN connectivity. Then you could use PBR on the 2921 to distinguish between the different traffic ie. all VPN traffic would be IPSEC as far as the router is concerned.

Do you think if you moved general internet access to the new link that would free up enough bandwidth on the existing link for all VPN connectivity ?

If it would then to help with the solution can you define which ports are used for general internet access eg. http/https etc. or is it any port allowed out to the internet. If it is any then it would be easier to use PBR to match IPSEC traffic but if it is a specific set of ports that could be used for PBR. In addition you would need to NAT the source IPs for general internet access to the new public IP on your 2921 so again it would be helpful to know whether you can identify general internet access ports or not.

Jon

Robert Peck · ‎12-30-2013

Thanks for the reply Jon. I guess I assumed there was a way to make the traffic just leave the same way it came in. I.E. that since the existing and new VPN’s are set to connect VIA an IP address, I would just configure any new ones to connect to the 4G IP instead of the DSL IP. I must admit, I have no experience at all with router configurations that have multiple WAN’s.

I think I could get away with all of the existing VPN clients terminating on the old (dsl) connection, however I do not think I could have the new site-site connect that way; I plan to use the site to site for off-site backup of some important data, so the connection will be saturated at times. For the site-to-site I will obviously know the static IP of the remote location. I wonder based on what you are saying if I can … use the new line for all internet access and the 1 site-site VPN and use the old line for all remote VPN clients? That would work for me, does that seem possible? That would make the most sence, because I could time my off-site backups to run during hours when normal internet useage is not even neeeded.

Thank You.

Jon Marshall · ‎12-30-2013

Robert

I guess I assumed there was a way to make the traffic just leave the same way it came in. I.E. that since the existing and new VPN’s are set to connect VIA an IP address, I would just configure any new ones to connect to the 4G IP instead of the DSL IP.

Yes, the inbound is easy, but it is the return traffic that is the problem because the router must have a way to distinguish which traffic goes down which link.

The site-to-site VPN could use the new link but you will need to do port forwarding on the router and NAT-T will be needed because you must use the new IP as the peer endpoint but the actual VPN terminates on the ASA with the existing public IP.

So the config is going to get a bit complicated and there may be some trial and error to get it working. Couple of questions before we start -

1) what IOS version is the router running. I'm pretty sure PBR is supported in IP Base but i need to check

2) Can you define general internet access by ports or not ?

Jon

Robert Peck · ‎12-30-2013

1) 15.2 (4) M4

2) I don't see any reason I cannot.

Thank You Jon.

Jon Marshall · ‎12-30-2013

edited

Jon Marshall · ‎12-30-2013

Robert

Okay, having read the ASA config guide it looks like you cannot mix remote access VPNs and site-to-site VPNs through the same NAT/PAT device so you would definitely not be able to run both through the new link but you can run one or other which is fine as we are just running the site-to-site VPN down the new link. Note i'm assuming you know how to setup the site-to-site VPN so i'm just adding the extra bits needed.

One other thing. You should test this out of hours as it may break things or not work. I can't guarantee anything as i don't know the rest of your setup so be careful as you go. I'l outine the steps with some options and some config, Firstly i would try setting up the PBR/NAT for the new link and don't do any config for the site-to-site VPN until that is working so -

1) Define your acls for PBR and NAT.

If it is relatively simple to define general internet access + remote site-to-site VPN peer IP then you can do this. If you can then you can use the same acl for both PBR and NAT. Note even though it is the same acl i would recommend having an acl 101 and an acl 102, one for PBR and one for NAT so you can see the hits per acl which can be helpful for troubleshooting.

If it is not easy then you can do the opposite and use the acl to define the remote access VPN traffic. If you do this the acls are slightly different ie. the acl for PBR permits all IPSEC. (note there is no need to worry about the IPSEC for the site-to-site as this will be encapsulated in UDP port 4500 packets due to NAT-T). For NAT you need to deny all IPSEC traffic because we only want to NAT new link traffic.

Lastly if you can define general access + site-to-site then the config can be applied without any affect on the remote access VPNs.

2) The default route on the 2921. If your PBR configuration matches general internet + site-to-site VPN then leave the default route as is (i'm assuming it already points to the next hop IP of the existing link). If your PBR matches remote access VPN traffic then you would need to change the default route to the new link.

3) PBR + NAT config.

ip nat inside source list interface cellular0/0/0 overload <-- this is for all other traffic down the new link. Note is the acl you defined for the NAT traffic.

route-map PBR permit 10

match ip address <--- this is the acl defined for PBR

set ip next-hop x.x.x.x <-- where x.x.x.x is the next hop IP dependant on which traffic you are matching

4) configure the 2921 interfaces for NAT ie.

int gi0/0

ip nat inside

int cellular0/0/0

ip nat outside

The above should mean all internet traffic (non remote access VPN) should go via the new link. You can test with ping/traceroute/whatismyip.com etc. to make sure it is working.

Once you have this working then you can do the following for the site-to-site VPN tunnel -

5) Enable NAT-T on the ASA -

asa(config)# crypto isakmp nat-traversal 3600

this is need for the site-to-site VPN because it is going through a NAT/PAT device. Note this should not affect your existing remote access VPNs but definitely do out of hours.

6) on the 2921 router -

ip nat inside source static udp 4500 interface cellular0/0/0 4500 <--- this is need for NAT-T UDP 4500 ports

I think that should do it. A lot of it depends on your acls and how you define which traffic to use for PBR and NAT and i wanted to make it easier if you found you couldn't define internet access easily. I have also assumed you want to re NAT the general internet access traffic on the router ie. leave the ASA config alone.

Like i said, i would leave the site-to-site VPN tunnel until after you have got the other stuff working.

Jon

Robert Peck · ‎12-30-2013

Jon, Thank You. I really appreciate your efforts. This looks good, I'm off work tomorrow and new years (Must celibrate another year of living!) So I will take a crack at this on Thursday and let you know how it goes, or ask a few more questions

-Robert

Robert Peck · ‎01-09-2014

Jon, it's working! For the most part, I followed what you posted, couple minor tweaks to cater to my setup. The site-site VPN os not up yet, but I don't expect that to be much of a challange. All Http/s traffic is going 4G and all my prior VPN's are fine going through the DSL link.

Thanks again!

Jon Marshall · ‎01-09-2014

Robert

Glad to helped and thanks for letting me know it worked.

Jon