Solved: Cisco ISR 927-4P - Dialer to VLAN/Interface without NAT

JaseNL · ‎06-30-2023

Hi All

I have a Cisco C927-4P connected between my VDSL connection and a Cisco ASA 5506-X (C927-4P configuration below). This works fine with the C927-4P handling NAT, but I need to set up an IPSec VPN on the ASA which requires that the NAT should be handled by the ASA so that the VPN termination uses the pre-NAT IP address. I've read various posts mentioning this kind of thing but they typically involve keeping the NAT function on the side end, or hard-coding the VDSL IP address at VLAN or interface level even this is negotiated in the dialer configuration.

If possible I'd like to make use of the DHCP-assigned VDSL IP address - it doesn't change very often but it would be nice for it to be picked up automatically when it does.

I'd also prefer to do this via a VLAN rather than by bridging, since it would mean I could trunk a management VLAN to the router together with the dialer traffic.

But if either of these preferences are not possible, I'll live with it.

Can anyone suggest the best way to do this?

Thanks in advance

Current C927-4P configuration (relevant bits):

interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.6
 description pppoe-VDSL
 encapsulation dot1Q 6
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1
 no ip address
 shutdown
!
interface GigabitEthernet2
 no ip address
 shutdown
!
interface GigabitEthernet3
 no ip address
 shutdown
!
interface GigabitEthernet4
 description ASA-WAN-Uplink
 ip address 10.1.0.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Dialer1
 description dialer-VDSL
 mtu 1492
 ip address negotiated
 ip access-group WAN-IN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp pap sent-username <DSL_USERNAME> password 7 <DSL_PASSWORD>
 ppp ipcp route default
 ppp ipcp address accept
!
ip default-gateway 10.1.0.1
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.255.0.0 10.1.0.1
!
ip access-list extended WAN-IN
 deny tcp any any eq 22
 deny tcp any any eq www
 deny tcp any any eq 443
 deny tcp any any eq telnet
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
 deny ip 0.0.0.0 0.255.255.255 any
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 224.0.0.0 15.255.255.255 any
 permit ip any any
!
dialer-list 1 protocol ip permit
access-list 1 permit 10.0.0.0 0.255.255.255

MHM Cisco World · ‎07-02-2023

View solution in original post

MHM Cisco World · ‎06-30-2023

IPsec is between two router or FW
it can be

static - to - static 
dynamic - to - static

here since your dailer interface not have manual IP then you need to use second approach


dynamic - to - static

the

static peer

config is your ASA and

Dynamic peer

will other Router/FW
you can not solve this issue with NAT only or with BDI.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

JaseNL · ‎06-30-2023

Hi,

Thanks for your response. I'm not too worried about setting up the VPN termination on the ASA. My concern is how best to set up the router so the VDSL traffic goes straight out to the ASA without NAT on the router side. I had in mind to send it through a VLAN which would mean I could use a trunk with a second VLAN for router management. But I don't know if this is best practice or if there is a better way.

Just for clarity, the VPN I will be setting up on the ASA is

remote access

not

site-to-site

Thanks

MHM Cisco World · ‎06-30-2023

Try use BDI then.

JaseNL · ‎07-01-2023

As far as I can make out, BDI is a feature of XE software. I have 15.8(3)M3b running on my router. Can I do something similar with a BVI, or otherwise dialer direct to VLAN (with PBR perhaps)?

I realise there are multiple ways to do this, I'm looking for guidance on the optimal approach in terms of performance and best practice.

I will also need a management interface to the router. With a BVI this will need to be a separate ethernet connection, with the VLAN option I can trunk the management VLAN together with the WAN.

Thanks

MHM Cisco World · ‎07-01-2023

Troubleshoot Bridge Virtual Interface and Bridge Domain Interface - Cisco
it only term IOS called it BVI IOS XE called it BDI

JaseNL · ‎07-02-2023

Thanks again.

OK, so I'll use a BVI to bridge the dialer to an ethernet interface.

One question though, will that work given that the dialer interface gets its IP address by DHCP? Will I have to hard-code the dialer interface IP address at the ASA, or would it be better to move the dialer to the ASA and bridge the PPPoE VLAN?

Sorry for all the questions

MHM Cisco World · ‎07-02-2023

I will run lab today or tomorrow about this point

JaseNL · ‎07-02-2023

Oh, great. Thanks.

MHM Cisco World · ‎07-02-2023

JaseNL · ‎07-03-2023

Oh that looks perfect. Thanks for all this work. So the ASA interface is getting its IP address from the DHCP service on

IOU2 e0/0

over the bridged interfaces on

IOU1

Which is exactly what I need. Did you use

ip address dhcp setroute on ASA Gi0/0?

MHM Cisco World · ‎07-03-2023

Yes ASA get IP from PPPoE server and

Yes you can add

setroute

MHM

JaseNL · ‎07-03-2023

That's great. Thanks again. I'll try it later today or tomorrow when I can find a moment to bring everything down without getting shouted at

JaseNL · ‎07-04-2023

Hi, I've just set this up and it's working perfectly. Thanks for all your help.