12-18-2013 08:20 AM - edited 03-11-2019 08:20 PM
We already have ISE IPN on this ASA for our VPN users, but now we want to migrate it to be our Internet firewall as well.
The issue we have is that for the IPN to work, the 'inside' interface of the ASA and the 'outside' or 'untrusted' interface of the IPN have to be on the same network, so we setup two ports on the core switch to be their own VLAN. In this way any and all traffic travels through the IPN on its way to and from the ASA. It was explained to me it had to be this way for the ISE/NAC posturing.
So right now we have static routes in the ASA pointing default to the 'outside' ASA interface, and then specific internal IPs routed through the 'inside' interface to the IPN to get to the internal network.
Speaking with a Cisco tech the other day they suggested using a 'tunneled' route that would force all the VPN traffic to use the default route to the IPN, and then I could setup all my other routes to the 'new-internal' interface and that is how my non-VPN related traffic would get around.
I tried this approach yesterday, and as soon as I removed my big internal route, my VPN users complained that they lost internal connectivity.
Can anyone lend me some options here?
10-06-2014 04:10 PM
Hi,
were you able to get this to work?
I am having the same issue. Would you happen to have a working config example?
much appreciated!
Mike
10-07-2014 07:14 AM
I will post my ASA config later today after I scrub it some. Also, my core switch config. Assuming my old brain can remember. :)
10-08-2014 03:40 PM
This is our ASA config....I cleared a lot of object and other VPN configs out of it, but it is still pretty big, I think you can pick the ISE related bits out of it. But I can pare it down more if you need.
10-29-2014 06:36 PM
Hi Dirk,
thanks much for this information.
I was able to get this working finally using a combo of techniques i had picked up on here and there. Basically i created a subnet between the ASA (inside), IPN (untrusted), and core (4500).
I create a PBR on the core that grabbed VPN subnet sourced traffic, and next-hopped it to the untrusted IPN interface. I also created a route on the core for return traffic destined back to the VPN subnet, to go through the trusted side of the IPN.
The final gotcha was making sure that the PSN that the IPN is pointing to, was the same PSN performing the posturing. From there on, everything worked.
The information you've provided is greatly apreciated
10-08-2014 08:52 PM
As of ASA 9.2 you can simply use RADIUS CoA with your ISE server directly from the ASA and remove the entire IPN from the picture.
See the following in the ASA 9.2 Release notes:
10-09-2014 07:06 AM
Yes, I am aware of this.
I just have not had the clearance from Management to get us moved to this scenario, yet.
Since we have the physical IPN, and a VM doing everything else, the plan is to redo the IPN to a full ISE and redo the VM to be a full ISE, and have an HA pairing. Eventually. :)
I know that once we get the IPN out of the picture we will be able to remove the ISE_VPN Interface from the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide