And released less than a

inlandprinting · ‎02-17-2017

background:

we have four facilities. two in one city connected by a Metro Ethernet connection. the other two are remote. our current setup only permits us to use public internet. i.e. not putting in MPLS any time soon. currently the remote sites are using ASAs to do a site to site VPN to the ASA at the corporate office. up until now this has been an acceptable way to function. things have changed. we now have server resources at both remote sites that VPN users may need to access. we don't want to setup multiple VPN connections to access specific resources. in addition we have users using DMVPN connections from their homes now who have strange issues with Lync when connecting to other remote sites or home offices.

As I understand ASA's they are designed so that traffic cannot enter and exit the device on the same interface which is why the VPN users cannot reach the remote sites or home offices. this is the primary problem, but nice to haves would include using EIGRP to dynamically route to remote sites and home offices.

Plan:

my plan is to use our ISR routers to connect GRE tunnels to the remote sites and home offices which would allow me to propagate EIGRP traffic, as well as route VPN users past the firewall and to those remote sites. the design questions I've got have to do with a lack of experience doing this.

1) The home routers should be easy just a simple GRE tunnel, no firewalls to deal with, just ACL's.

2) the remote sites the routers sit outside the firewall. can i pass the traffic from the GRE tunnel through the firewall or should i put a NIM in the router and go around it and right into the core switch?

3) what pitfalls to this setup am I not thinking or am I completely off on a feasible design?

As always thanks in advance for any advice, or help offered here.

Philip D'Ath · ‎02-19-2017

If this was a greenfields deployment, I would probably tell you to use Cisco Meraki MX appliances everywhere and the AutoVPN feature.

https://meraki.cisco.com/products/appliances

Home users would be given lower cost Telecommuter Z1's.

https://meraki.cisco.com/products/appliances/z1

Next lets address the first error - traffic from remote VPNs can hair pin on an interface and go back out another VPN. You need this command:

same-security-traffic permit intra-interface

Now onto DMVPN and GRE. Personally, for a rock solid setup, I configure DMVPN routers so they are directly connected to the Internet with no NAT. So I would put it side-by-side with the firewall (assuming the firewall does not have a DMZ with public IP address space on it).

inlandprinting · ‎02-21-2017

first item. i've got the same-security.... command in place. For my remote access VPN users i have no problem. i.e. i can jump on Anyconnect form anywhere and access a device at any site. My home router however uses an S2S DMVPN. i cannot access the two remote sites. note all three sites home and the two remotes all connect in using S2S VPN. the remotes are static, and the home is a DMVPN. so do i simply have something wrong in my routeing/nat statements or is this by design?

sadly this is not greenfield, all equipment is already in place. something to think about moving forward though for home users.

You may have confused the last part or i'm not fully understanding your answer. my intention is to connect the remote sites via GRE tunnel so i can do EIGRP over the VPN's. as I understand it the ASA cannot terminate a GRE tunnel. so the question is if i terminate the GRE tunnel on my border router do i then send that traffic back to the core switch through the ASA or setup an interface that goes directly to the Core.

Philip D'Ath · ‎02-21-2017

Did you know that 9.7(1) added VTI support? I don't believe it is actually GRE - but it is compatible with router VTI interfaces - which provides you with exactly the same functionality.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

inlandprinting · ‎02-21-2017

And released less than a month ago...

so that would mean it's not hindered by the same scalability problems that existed before. i'll have to give that a try but first i'll need to update my ASA's.

inlandprinting · ‎02-22-2017

do you by chance run this code yourself? I've got it loaded on one of my HA pairs and am having issues. when i reboot the standby it comes up without issue on 9.7(1), however after failing it active to reboot the primary it ran into issues. i got distracted came back five minutes later and found that i'd lost my connection. i reconnected and noticed i was back on the primary unit. for whatever reason, the ASA running 9.7.1 had crashed and reloaded, so i tried again, and it crashed again. so i tried a third time and after about half an hour it crashed again. i'm planning to open a TAC for this, but would be open to any insight you may have. for now i'm just going to revert it back to 9.6.2.

Multi-site network design question