Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
1
Replies

S2S Hairpinning directly connected subnets with LDAP and Radius

markcoveny
Level 1
Level 1

‎01-10-2018 11:41 AM - edited ‎02-21-2020 07:06 AM

Hello.

I have a customer with roughly 80 various types of partner site to site vpns with ACLs. Some of the VPNs use LDAP and some use radius to authenticate. The want to migrate from their production firewall to the colo firewall and hairpin all their VPN traffic through the prod FW to the colo firewall. I believe the prod firewall rules should apply all the ACLs and I would just need to create the S2S between prod and colo and push everything through it.

 

Two issues to this come up in my mind.

1) Directly connected subnets interfaces on prod need to be pushed to the colo
2) Prod firewall needs to get authentication traffic across the prod to colo firewall

 

I’m looking for anyone who’s got some experience with this to prevent me from hitting gotchas as it's a lot of S2S tunnels to move. I have about a month to get this nailed down.

 

Hairpin Firewall starts out something like this:

ldap attribute-map LDAP-Group-Policy
map-name department Group-Policy
aaa-server LDAP protocol ldap
reactivation-mode timed
aaa-server LDAP (Inside) host cisco.com
ldap-base-dn DC=Cisco,DC=Cisco,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password blahblah
ldap-login-dn CN=Cisco,DC=Cisco,DC=com
server-type microsoft
ldap-attribute-map LDAP-Group-Policy

aaa-server Radius protocol radius
reactivation-mode timed
aaa-server Radius (Inside) host cisco.com
key blahkey
authentication-port 1812
accounting-port 1813
radius-common-pw blahblah

 

object network SubPart-1
subnet 10.0.1.0 255.255.255.0
object network Prod-1
subnet 10.10.10.0 255.255.255.0
ip local pool PoolPart-1 10.1.1.1-10.1.1.254 mask 255.255.255.0
access-list SplitTunnel_Part-1 extended permit ip object-group SubPart-1 any
access-list SplitTunnel_Part-1 extended permit ip object-group Prod-1 any
group-policy GPPart-1 internal
group-policy GPPart-1 attributes
split-tunnel-network-list value SplitTunnel_Part-1
address-pools value PoolPart-1
tunnel-group Part-1 type remote-access
tunnel-group Part-1 general-attributes
authentication-server-group Radius
authorization-required
tunnel-group TGPart-1 ipsec-attributes
pre-shared-key blahblah


object network SubPart-2
subnet 10.0.2.0 255.255.255.0
object network Prod-2
subnet 10.20.20.0 255.255.255.0
ip local pool PoolPart-2 10.2.2.1-10.2.2.254 mask 255.255.255.0
access-list SplitTunnel_Part-2 extended permit ip object-group SubPart-2 any
access-list SplitTunnel_Part-2 extended permit ip object-group Prod-2 any
group-policy GPPart-2 internal
group-policy GPPart-2 attributes
split-tunnel-network-list value SplitTunnel_Part-2
address-pools value PoolPart-2
tunnel-group Part-2 type remote-access
tunnel-group Part-2 general-attributes
authorization-server-group LDAP
authorization-required
tunnel-group TGPart-2 ipsec-attributes
pre-shared-key blahblah

Labels:
Preview file
169 KB
0 Helpful
1 Reply 1

markcoveny
Level 1
Level 1

‎01-12-2018 05:43 AM

It looks like the there is a requirement for the prod firewall to have 8.3 which it doesn't, and I don't want to do that upgrade. So I'm now looking at doing the big tunnel to a second interface/IP. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card