topic Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP in Network Security

Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 06:36:17 GMT

Hello,

I have a new setup for a client, any insight would be greatly appreciated.

Setup will be: ISP1, ISP2 (SD-WAN), New CB Series Router, New FPR-1000.

I'm basically looking for the best way to set this up with both ISP Links UP and PBR to send ONLY VOIP Traffic over the SD-WAN and 1 (of 2) Site to Site Tunnels.

If I cannot get the equipment tommorow, I will lab it up so that I will have a config to present.....I just wanted to get ahead of this.

Thank You Very Much in Advance!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

M02@rt37 — Sat, 27 Jan 2024 07:21:00 GMT

Hello @PJ123

Set up the SD-WAN functionality on the CB Series Router. Define policies for load balancing and failover between ISP1 and ISP2.

Configure QoS policies for prioritizing VOIP traffic.Implement PBR on the CB Series Router to route VOIP traffic over the SD-WAN link.

Define an access list matching VOIP traffic and create a route map to match the access list and set the next hop for SD-WAN.

As concerned site-2-site VPN configuraton on FPR-1000, set up the necessary VPN tunnels on the FPR for secure comunication and define interesting traffic for the VPN, including the specific site-2-site tunnel for VOIP traffic.

Also, implement the security policies on the FPR to control traffic flow based on security requirements.

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

balaji.bandi — Sat, 27 Jan 2024 08:40:47 GMT

CB Series Router

what model of the Router ?

ISP1 is normal Internet provider

ISP2 is SD-WAN right ? (if you says SD-WAN - they have their own router providing on site equipment) - or you configuring Sd-WAN on your routers ?

Is the both the Links terminated to CB Router ? - there this where where the Route-Map take place based on the matching traffic to send which link. (you have not mentioned what if that link fails ?) - you looking to send traffic over other link or traffic will be black holed ?

Can you draw a diagram how your network looks like to understand better.

There are are different ways to achieve this but i would like to see your diagram and above asked questions input.

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

MHM Cisco World — Sat, 27 Jan 2024 10:33:26 GMT

Which one will face both ISP

FPR or CBS ?

MHM

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 16:51:23 GMT

Hello M02@rt37

Thank you very much for the quick response and info!

I will have to lab this up and see how it looks as nothing is onsite yet (brand new install, no current Router or Firewall in place) and the SDWAN Circuit will not be turned up until Monday. I will reply with the configs if I hit any blocks or need to get a bit more granular on this....

Very much appreciated, Thank You!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 17:05:13 GMT

Hello @balaji.bandi

Thank you for the quick reply!

Router is going to be a C8200L

ISP1 is normal internet provider

ISP2 is going to be SD-WAN and I'm not sure yet but I think they will be putting in their own router, (circuit not getting turned up until Monday) but I would like to plan both ways in case they do not

This is a brand new install and there is no existing router or firewall onsite currently so I believe I will terminate both at the CB Router

I will send a map once I lab it out; there is also a wireless router onsite which I am planning on just putting in AP Mode and into the firewall

Thank you very much again, I will reply with more info as well....

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 17:18:39 GMT

Hello MHM,

Since this is a brand new install with no existing router or firewall in place (just a wireless router as far as I know, probably ISP provided), I believe I will make it the CBS...

Thank you for the quick Reply!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

M02@rt37 — Sat, 27 Jan 2024 17:37:23 GMT

You're so welcome @PJ123

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

MHM Cisco World — Sat, 27 Jan 2024 18:11:30 GMT

CBS is full of bug
put your FPR first then connect CBS behind
MHM

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

balaji.bandi — Sat, 27 Jan 2024 18:20:43 GMT

Sure you can test it - If you know the IP address then access list to match the traffic and use route-map to send SD-WAN Link.

you can use IP SLA if that fails use other ISP link - you need to some testing failovers all working as expected.

if you have any issues - post here the config community can help you.

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sun, 28 Jan 2024 01:51:34 GMT

Appreciated! I was able to get the actual devices luckily...though, I am not onsite yet so I dummied the config. Here is my VERY BASIC Router Config ATM (also dealing with some new command syntax as I haven't had to do this from scratch in quite some time...ugh (any help from here would be appreciated, but I will work on the steps that you provided as well):

version 17.11
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
!
aaa session-id common
!
ip domain name test.local
!
!
!
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool LAN_SUBNET
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!

diagnostic bootup level minimal
!
license udi pid C8200L-1N-4T sn FJC273916BY
memory free low-watermark processor 62864
!
spanning-tree extend system-id
!
!
enable secret 9 X.X.X
!
username cisco secret 9 X.X.X
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 12.34.56.2 255.255.255.0
ip nat outside
ip access-group OUTSIDE_FILTER in
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 12.34.66.2 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 192.168.2.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list INTERNET_ACCESS interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 12.34.56.1
ip ssh bulk-mode 131072
!
ip access-list standard VTY_FILTER
10 permit 192.168.2.0
!
ip access-list extended INTERNET_ACL
10 permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended OUTSIDE_FILTER
10 permit icmp any host 12.34.56.0 echo-reply
20 permit udp any eq domain host 12.34.56.0
30 permit tcp any host 12.34.56.0 established
40 permit icmp any host 12.34.66.1 echo-reply
50 permit udp any eq domain host 12.34.56.1
60 permit tcp any host 12.34.66.1 established
!
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
line vty 0
access-class VTY_FILTER in
transport input ssh
line vty 1 4
transport input ssh
line vty 5 14
transport input ssh
!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 22:09:18 GMT

Looks like my reply may have not gone through, maybe because I pasted the dummy config and didn't attach? Anyway, I will attach my VERY BASIC router config here...I have the physical devices now, but am not onsite....

Thank You!!!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

balaji.bandi — Sat, 27 Jan 2024 22:21:12 GMT

here is the example of route-map

i have used both ACL same to route both the ISP - your case match 2 ACL different to match the traffic to go to each ISP.

https://www.balajibandi.com/?p=1982

Let us know if that works for you ?

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 22:44:18 GMT

Very Helpful, Thank You! I have the actual devices now (but not onsite). I have attached my super basic router config so I will work on implementing that now as I continue to work on this....Thanks, appreciated!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 23:08:09 GMT

Ugh, just looked at the router....I can only do Outside Interface and Inside Interface on this guy (2 Ethernet Interfaces, no cards).....sorry, fixing now.... 😞

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 23:11:40 GMT

Ugh, just looked at the router....I can only do Outside Interface and Inside Interface on this guy (2 Ethernet Interfaces, no cards).....sorry, fixing now....

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Sat, 27 Jan 2024 23:14:08 GMT

Ugh, just looked at the router....I can only do Outside Interface and Inside Interface on this guy (2 Ethernet Interfaces, no cards).....sorry, fixing now.

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Thu, 01 Feb 2024 20:04:07 GMT

Hello M02@rt37

Sorry for the delay but I have more info now:

So the router and asa will be new installs (no existing ones).

I have the router connected to the ASA and can ping it now. In my dummy config, in the ASA the router is configured on 192.168.1.1 (outside) and the ASA is on 192.168.2.1 (inside). The router is configured for internet access on ISP01 (I haven't tested on my home network to see if it works outside yet, but I plan to later).

I reserved interface 3 for the sdwan but haven't gotten to that yet but I will still need all internet traffic to route only over ISP01 on 192.168.1.1 and all other traffic (including VOIP most importantly, over one of the site to site tunnels over the sdwan which will be on interface 3). Could you please have a look at this config and let me know what you think? I also have the ACL's set to any any just because I was testing but I need to set those properly...I removed any non-relevant info from the config too (crypto, etc.)

Thank you so very, very much again!!!!

ASA Version 9.16(2)3
!
hostname test
domain-name test.local
enable password
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
passwd
names
no mac-address auto

!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1/2
no switchport
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1/3
no switchport
nameif sdwan
security-level 0
ip address dhcp
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.20.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8 outside
name-server 8.8.4.4 outside
domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside_subnet
subnet 192.168.2.0 255.255.255.0
object network router
host 192.168.1.1
object-group service www tcp
port-object eq www
port-object eq https
access-list global_access extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list outside_access_out extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu sdwan 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network inside_subnet
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 192.168.20.20 255.255.255.255 management
no snmp-server location
no snmp-server contact

telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
dhcpd address 192.168.20.10-192.168.20.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
class class_snmp
inspect snmp
policy-map global-policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Thank You, So Appreciated!

Re: Dual ISP, Router, FPR ASA and PBR Routing for VOIP

PJ123 — Fri, 02 Feb 2024 00:15:10 GMT

Hello @balaji.bandi

Sorry for the delay but I have more info now:

So the router and asa will be new installs (no existing ones).

Thank you so very, very much again!!!!

ASA Version 9.16(2)3
!
hostname test
domain-name test.local
enable password
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
passwd
names
no mac-address auto

Thank You, So Appreciated!