Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Help with ASA to IOS S2S VPN Tunnel w/GRE

Hello everyone,

I have a situation where we currently have a wireless bridge connecting two buildings that are across the street from each other.  Both data and voice is using this wireless link.  Both bridges are trunked to allow multiple VLANs to go across.  Due to much wireless interference, we have had complaints of the connection causing slowness, disconnects, and dropped calls.  In a temporary attempt to resolve this issue, since we're a hospital, we ordered a 100Mbps Internet link for the remote building.  Our main office uses the ASA 5525-X and I would like to add an 800 series router at the remote building.  I would like to establish a site-to-site VPN using GRE so that the remote end will be able to pass EIGRP.  Also, I'm going to need our VoIP phones to be able to obtain their info from the PBX at the main office.  Is this possible and if so, can someone help point me in the right direction?  Thanks!

 

Regards,

Terence

8 REPLIES
Hall of Fame Super Silver

Terence It is not going to be

Terence

 

It is not going to be as easy as you want it to be. The first issue is that the ASA5525X does not support GRE. You could do a site to site IPSec tunnel between an 800 router and the ASA but not GRE. So there would not be a routing protocol running over it.

Perhaps put a small router at the main building and do the GRE between the routers. Other than wanting to use the Public IP and Internet connectivity of the ASA is there any reason to need the traffic to go through the ASA? Would it be feasible to put the small router at your main building on the Public subnet with its own IP address and have the inside interface of the router connect to some switch inside your network and bypass the ASA?

 

HTH

 

Rick

New Member

Hello Richard,I do have 2 800

Hello Richard,

I do have 2 800 series routers I can put on both ends to establish the GRE tunnel since the ASA doesn't do GRE.  We have a Web filter that all our employees are required to go through so I need all traffic such as data, VoIP, and Internet to go through this tunnel to communicate with both internal and external resources.

Hall of Fame Super Silver

Terence Thank you for the

Terence

 

Thank you for the additional information. Part of it is helpful in confirming some things that may be possible, but it also raises an additional question. If you do have two 800 series routers then you should be able to do GRE and encrypt the traffic.

 

But I believe that there are at least two issues that you should consider in determining whether this will provide an effective solution.

- The GRE tunnel provides a routed link. In your original post you tell us that the current connection is trunked with multiple VLANs. You will not be able to extend multiple VLANs using GRE. You could terminate the VLANs on the remote router and route those subnets over the GRE to communicate with multiple VLANs/subnets on your side. But you will not have local communication between hosts in one VLAN (perhaps voice) on the remote side with hosts in the local VLAN. You might investigate whether L2TPv3 would provide a solution for extending the VLANs.

- There is also an important question of where to put the router on your side and how traffic would flow. I see three possibilities each of which has potential challenges.

__ you might put the router behind your ASA. This probably simplifies the implementation of tunneling and encryption. But I do not know what you would do for the requirement that all traffic go through the web filter (which I assume is done in the ASA).

__ you might put the router in parallel with the ASA outside interface on the outside subnet. This assumes that you have an available IP address to use for the router outside interface. After the router has decrypted the traffic you might then connect the router inside interface to an interface on the ASA (sort of like DMZ) where you might inspect the traffic and direct it to the web filter.

__ you might put the router in front of the ASA. The router could do the tunneling and encryption and pass de crypted traffic to the ASA. But that creates challenges in how you address the ASA and how you do the address translation.

 

HTH

 

Rick

New Member

Thanks for the response Rick

Thanks for the response Rick!

I was thinking about putting the 800 series router in parallel with the ASA by giving it an available public IP.  We have a /24 of a public IP block so that wouldn't be a problem.  I've attached a quick diagram of how I'm looking at the set up for this.  In the diagram, the scsr871w would have two interfaces (one for the outside & the other for the local subnet).  The remote side (2045_871w) would be set up where 1 interface is connected directly to the 100Mbps Internet link and the other connected to it's local subnet.  I would create the S2S tunnel between the 800 series and ASA then establish the GRE between both 800 series routers.  At the remote side, I would use a default route pointing to the IP of the local subnet of scsr871w.  Are there any concerns with this type of set up?

Hall of Fame Super Silver

Terence As I look at it there

Terence

 

As I look at it there seem to be differences between what the drawing shows and what you describe verbally. In the drawing it looks like the Internet connects to the ASA which connects to a switch which connects to the router. Is that switch where the local subnet is? Or is it connecting ASA and router and the local subnet is somewhere else? If it were a parallel connection I would expect the connection from the Internet to come into some switch which would connect to both the ASA and the router.

 

Your verbal description suggests that VPN traffic coming through the router would then go directly to the local subnet. In that case I would think that you would not want the encryption to be done on the ASA. I would think that the S2S would be router to router rather than router to ASA. I have a customer who has implemented essentially this setup and it works well for them.

 

HTH

 

Rick 

New Member

Router to Router is ideal as

Router to Router is ideal as the router at the main office will be behind the firewall.  I can assign an interface a public IP and connect it to the VLAN where are external addresses reside.  I was trying to test this config but I'm stuck.  Can you provide an example of how this would be done?

Hall of Fame Super Silver

Terence I am a bit confused.

Terence

 

I am a bit confused. Your prior post talked about having the router in parallel with the ASA. Now the most recent post says the router will be behind the firewall. Can you clarify this so I understand it better?

 

So your ASA is configured with a public IP on its outside interface and also has a block of other public IP addresses that are configured on another interface (DMZ or something)? And you would connect the router outside interface onto that subnet of the ASA?

 

In that case the configuration of the routers would be fairly straightforward (you may choose the traditional GRE/IPSec or the VTI approach) in which you have a tunnel between the routers, encrypt the traffic going through the tunnel, and probably running a routing protocol over the tunnel.  There are several things you would need on the ASA.

- you would need an access policy on the outside interface of the ASA to permit the router to router traffic (in particular the ISAKMP and the ESP traffic).

- you would need routing logic on the router so that it routes traffic received from the remote peer to go out the inside interface with the ASA interface as its next hop.

- you would need an access policy that allows traffic received from the VPN to assess the inside network.

- you would need routing logic inside your network that forwards traffic to the remote site using the ASA as its next hop and the ASA has to send that traffic through its interface to the router.

- depending on whether you have access policy for the inside interface you might need to make some changes in that policy to allow the VPN traffic.

 

HTH

 

Rick

you can do it, but you need

you can do it, but you need one more router besides ASA.

I did so. I have configurations liky this.

 

loopback interface Router-- ASA ---internet --- Router800.

Ipsec from ASA to Router800

GRE from loopback interface Router-- to Loopback Router800.

and routing protocol over GRE

 

and dont forget to rate post

265
Views
6
Helpful
8
Replies