Re: LAN to LAN VPN as Backup -Need Help with Routing-

Antonio Morales · ‎01-13-2011

We have a site that have communication with the rest of our network trough MPLS.

We want to create a L2L VPN on the Internet and route traffic trough it when MPLS is not available. Here is were I need help, how to switch automatically to the VPN Tunnel when MPLS is not available.

Points to consider:

Static routes are used ont the ASA's
One of the ASAon network 10.10.xx is a VPN hub for remote workers, so it have static route to the inside interface to reach network 10.11.x.x

I'm a little confuse on how to route this scenario, because on the ASA if I have the static route for network 10.11.x.x pointing to inside but it is also the interest traffic for the VPN tunnel, in that case I have to configure a route to for 10.11.x.x pointing to the outside.

I have an idea configuring Routing based on IP SLA on the ASA's and on the Core switches monitoring the provider side of the MPLS.

Also, what about enable EIGRP on the ASAs?

Any help will be highlly appreciated.

Federico Coto Fajardo · ‎01-13-2011

Hi,

What about configuring EIGRP on the ASAs?

Can make EIGRP prefer the MPLS path and use the VPN if MPLS not available (and switch back to MPLS when it recovers).

You need to configure the Site-to-Site tunnel on the ASAs as you would normally.

EIGRP will take care of establishing the tunnel when needed.

Federico.

Antonio Morales · ‎01-13-2011

Thanks for the reply Federico.

Im posting my config here hopefully you can check it out and give me some feed back. specially with the routing changes Im going to do.

It is a posibility I can try this during a maintenance.

Thanks again.

ASA5520 SITE A

ASA5520 SITE B

object-group network NET_BEH_TAC

network-object 10.B.x.x 255.x.x.x

network-object 10.C.x.x 255.x.x.x

network-object 10.E.x.x 255.x.x.x

!-- Object Group for Networks reachable from SITE B (TAC)

!--- ACL for traffic to be encrypted between SITE A and SITE B Firewalls

access-list outside_cryptomap_10 extended permit ip 10.A.X.X 255.x.x.x object-group NET_BEH_TAC

access-list inside_nat0_outbound extended permit ip 10.A.x.x 255.x.x.x object-group NET_BEH_TAC

!--- Access-list for traffic to bypass the network address

!--- translation (NAT) process.

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

!--- Specify the NAT configuration.

!--- NAT 0 prevents NAT for the ACL defined in this configuration.

!--- PHASE 2 CONFIGURATION

!--- The encryption types for Phase 2 are defined here.

crypto ipsec transform-set VPN_TRANSFORM esp-3des esp-sha-hmac

!--- Define the transform set for Phase 2.

crypto map dyn-map 10 match address outside_cryptomap_10

!--- Define which traffic can be sent to the IPsec peer.

crypto map dyn-map 10 set peer 63.A.B.C

!--- Sets the IPsec peer

crypto map dyn-map 10 set transform-set VPN_TRANSFORM

!--- Sets the IPsec transform set VPN_TRANSFORM"

!--- to be used with the crypto map entry "dyn_map"

crypto map dyn-map 10 set security-association lifetime seconds 28800

crypto map dyn-map 10 set security-association lifetime kilobytes 4608000

crypto map dyn-map interface outside

!--- Crypto map applied to the outside interface of the ASA

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 10.

tunnel-group 63.A.B.C type ipsec-l2l

tunnel-group 63.A.B.C ipsec-attributes

pre-shared-key ********

object-group network NET_BEH_TAC

network-object 10.B.x.x 255.x.x.x

network-object 10.C.x.x 255.x.x.x

network-object 10.E.x.x 255.x.x.x

!-- Object Group for Networks reachable from SITE B (TAC)

!--- ACL for traffic to be encrypted between SITE B and SITE A Firewalls

access-list outside_cryptomap_10 extended permit ip object-group NET_BEH_TAC 10.A.x.x 255.x.x.x

access-list inside_nat0_outbound extended permit ip object-group NET_BEH_TAC 10.A.x.x 255.x.x.x

!--- Access-list for traffic to bypass the network address

!--- translation (NAT) process.

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

!--- Specify the NAT configuration.

!--- NAT 0 prevents NAT for the ACL defined in this configuration.

!--- PHASE 2 CONFIGURATION

!--- The encryption types for Phase 2 are defined here.

crypto ipsec transform-set VPN_TRANSFORM esp-3des esp-sha-hmac

!--- Define the transform set for Phase 2.

crypto map dyn-map 10 match address outside_cryptomap_10

!--- Define which traffic can be sent to the IPsec peer.

crypto map dyn-map 10 set peer 65.X.Y.Z

!--- Sets the IPsec peer.

crypto map dyn-map 10 set transform-set VPN_TRANSFORM

!--- Sets the IPsec transform set VPN_TRANSFORM"

!--- to be used with the crypto map entry "dyn_map"

crypto map dyn-map 10 set security-association lifetime seconds 28800

crypto map dyn-map 10 set security-association lifetime kilobytes 4608000

crypto map dyn-map interface outside

!--- Crypto map applied to the outside interface of the ASA

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!--- PHASE 1 CONFIGURATION ---!

!--- This configuration uses isakmp policy 10.

tunnel-group 65.X.Y.Z type ipsec-l2l

tunnel-group 65.X.Y.Z ipsec-attributes

pre-shared-key **********

Router eigrp 99

network 10.0.0.0 255.255.0224.0

passive-interface G0/0

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 65.X.Y.129 1
no route inside 10.A.x.x 255.x.x.x 10.0.29.153 1
no route inside 10.B.x.x 255.x.x.x 10.0.29.153 1
no route inside 10.C.x.x 255.x.x.x 10.0.29.153 1

no route inside 10.D.x.x 255.x.x.x 10.0.29.153 1

no route outside 10.K.x.x 255.x.x.x 65.X.Y.129 1
no route outside 10.L.x.x 255.x.x.x 65.X.Y.129 1

! The two above are L2L that will become connected with eigrp enabled

no route outside 10.M.x.x 255.255.x.x 65.X.Y.129 1

! Above is a SOHO VPN and will become connected with eigrp enabled

route dmz-vlan 0.0.0.0 0.0.0.0 10.0.28.1 tunneled

! This route is used to route traffic for NAC

Router eigrp 99

network 10.11.0.0 255.255.0.0

passive-interface G0/0

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 63.A.B.129 1
no route inside 10.x.x.x 255.x.x.x 10.B.x.129 1

Federico Coto Fajardo · ‎01-14-2011

Configuration looks fine but I have some questions...

The default gateway for the machines on the LAN (on either side) is the router connected to the MPLS?

I mean... the router receives the packets to be sent through the MPLS cloud and since it talks EIGRP with the ASA it can decide that a better

route exists through the ASA (when MPLS is down).

You need to check that router/ASA are EIGRP peers and that the route through MPLS is preferred.

Federico.

Antonio Morales · ‎01-14-2011

Im Attaching the Wan Diagram, the green arrow is the tunnel we want to create, the Switches are L3 running eigrp along with all the routers.

on the MPLS edge Im running BGP redistributing into each other.

Answering your question ASA will learn the routes from L3 Switches, L3 Switches are the Gateways for all work stations because they have the VLAN information, they also have the default route 0.0.0.0 0.0.0.0 pointing to the ASA.

tyscott · ‎02-04-2011

If you have controll of the routers at each site use DMVPN

as the failover path between the two sites. Make the path between each site less prefered over the MPLS cloud. Let the routers do their job of re-routing.

Antonio Morales · ‎02-07-2011

Hi tyscott,

1.- I tried the GRE tunnels with full mesh configurations, but I had some issues with the path the packets followed,some times traffic from one site to another didn't come back on the same path.

2.- Other concern I had was QoS, we use this networks primary for VoIP since we have call centers, so QoS for VoIP is very important for us, do you know were to apply QoS? on the Tunnel Interface or on the MPLs interface? MPLS I think but not sure.

3.- How much overhead is added using GRE tunnels?

Thanks

tyscott · ‎02-07-2011

GRE adds 24 bytes, 28 bytes if you use a tunnel key. By changing the IPSec transformset from tunnel to transport there is not that much difference between DMVPN and regular site to site tunnels.

QoS if trying to distinguish VoIP from other traffic should be marked pre-encapsulation so it would be on the tunnel interface you would mark tunnel qos pre-classify. But are you getting service guarantee's over the internet?

Note that you would not be using the DMVPN in the event the MPLS cloud is functional. it would only be a backup connection. There should be no reason to have asynchronous routing issues if you design it correctly.

The benefit of the DMVPN is all the route propegation can be handled thru dynamic routing protocols. So you better detect a network failure without having to use SLA's and your ASA should no longer need to be topology aware.