Solved: Need Help with Branch Office Scenario -- VPN Tunnel Configuration

muranskycotech · ‎08-26-2011

I have a scenario in which I need to have multiple branch offices talking to one another using ASA 5505/5510 firewalls and 881 routers. I have 90% of my configuration setup perfectly, I think, but I don't have much experience with WAN setups, so I'm not sure how to proceed. Here's the scenario:

Home Office

ASA 5505 (upgrading to 5510 in the near future)

(Adding a 2900-Series Router with PRI voice module in the near future)

Single data subnet, but will expand to dual data/voice

... this home office maintains a permanent site-to-site VPN to ...

Remote Office 1

ASA 5505

2800-Series Router with PRI voice modules

Call Manager Server

Triple Subnet setup -- Data (Wired), Data (Wireless), Voice

>>> This VPN connection is established over two enterprise cable connections.

Remote Offices 2-5

ASA 5505

Single data subnet, no changes planned

>>> All of these are site-to-site VPN connected to the home office AND each other, so all of them are able to access each other directly. Has been working great for 3 years.

>>> Enter New Remote Offices...

Remote Offices 6-60

881 Router

Single Subnet

>>> These will establish a site-to-site VPN to the Home Office, because this is where the majority of their data and calls will go. They will also use the Home Office PRI for outbound calls. However, because currently my only Call Manager is at Remote Office 1, they need to be able to access it, and they need to access each other. Of course, the 881 can't establish enough VPN tunnels to accommodate so many offices, so that rules out configuring them the same as my ASA-based sites. I'm trying to avoid having to buy two ASA 5510's and licensing.

For now, my first 881 remote site is doing a VPN to Remote Site 1 for testing with Call Manager. That is working perfectly.

The question is... how do I allow the traffic from the remote sites to come home and back to another remote site in this scenario? I'm not sure what additional NAT/ACL configurations will be necessary. I assume changes will be needed on Home ASA, Remote ASA, and Remote 881's.

I can post any configuration details requested.

Marwan ALshawi · ‎08-26-2011

i think you need to re think about your VPN setup and design

first consider the following

1- voice need to go to callmanager for signaling > this will be from each remote site to the hub site where CM located

2- media traffic of voice need to be direct between sites ( it can be indirect going through the hub but this will involve bandwidth consumption on the hub site and high latency for voice calls )

3 number of remote sites and how many tunnles you need per site not to mention how hard to manag it when you want to add or remove new site

my recommendation for you is to use DMVPN, because with DMVPN you can meet all the requirements of your network

1- signle multipoint tunnle for all sites

2- ability to provide spoke to spoke direct and dynamic tunlling and communications for voice needs

3- more scalable and managable for large VPN deployments

4- you can run routing over this mGRE tunnels and protect it with IPSec

however you need to use Routers only as it is not supported on Cisco firewalls, i believe most of your sites are using router

bellow is a while paper about this technology if you are willing to go with this approach let me know and i can help you in with it

DMVPN Design

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html

HTH

if helpful Rate

View solution in original post

Marwan ALshawi · ‎08-26-2011

again you are in the design phase and it is better for you to make the call from now as later it will be harder to transition because sites will be production and you need to change the design and the firewall has to be out of the VPN picture when you move to DMVPN

i advise you to plan it from now, and about the license required as long as you have the security license with the new ios 15.x you should be ok

i had quick look on your remote end config the 881 it look ok, but think about if you add any new network you need to about many ACLs, VPN ACL, NAT ACL

you could also use the 881s routers as client and the hub site as server so you do not need many static tunnels in the hub ASA

agin not the right solution for you

so fo voice you are right the signaling only gose to callmanager, unless the remote sites uses the PSTN gateway where callmanger located, but you need to make sure in you voice design that music on hold to be configured in the local gateway so that music on hold will not go through the VPN for media stream from CM

and static VPN tunnels will not help you to have spoke to spoke see the bellow example of ASA and spoke to spoke communications ( it still go through the hub site )

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

HTH

pls rate the helpful posts

View solution in original post

Marwan ALshawi · ‎08-28-2011

i think your action plan is good

once you reach phase 2 start with DMVPN setup to have your Hube routers ready for rolling out the remote/spoke DMVPN sites

have a look at the bellow link which shows you how to have two redundant dual Hub DMVPN

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#dualhubsingle

also you might consider configuring new NHRP in DMVPN features

Router(config-if)#ip nhrp shortcut

Router(config-if)# ip nhrp redirect

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_nhrp.html

about the remote sites 2-5 you can keep them as L2L VPN going to the Hubs and make sure you injuct their route into DMVPN routing 
 
 HTH 
 please rate the helpful posts

View solution in original post

Tim Butters · ‎08-26-2011

Muransky,

So you've set your VPN's up in a Mesh network using Virtual Tunnels yes? Have you thought of creating a hub and spoke layout instead?

How are you publishing routes between each router? Dynamically or static? If Remote Ofices 6-60 had a single tunnel VPN link to the Home Office (due to the limitations of the 880 series), you could publish the other Remote offices (including the one with Call Manager) through dynamic routes to these routers.

Config please!

muranskycotech · ‎08-29-2011

I would be interested in hearing any additional feedback you may have on this option as an interim or alternate methodology.

Collin Clark · ‎08-26-2011

IMO the ASA stinks when you have more than 3-5 VPN sites that need to communicate. There is no easy way to manage all the tunnels. If you have the option, replace the ASA's with routers (881 is fine) and configure DMVPN. It allows spoke to spoke communication (think full mesh).

On all vpn endpoints you will need to NAT0 and specify interesting traffic for all the other remote sites. On the ASA's you will also need to permit traffic on the same interface (hairpin routing) with same-security-traffic permit intra-interface command.

Hope it helps.

muranskycotech · ‎08-26-2011

I do allow hairpin routing on my ASA's currently, so I'm covered there. I have a feeling that given my current setup, I could accommodate it all with a few well-considered NAT/ACL commands. If you don't mind looking at my configs (posted a few comments down), I'd appreciate your input.

I do agree that management of this many VPN tunnels is cumbersome and other methods (like DMVPN) will ultimately be the best plan, but if I can "make it work" as-is now and then transition to DMVPN in a future network update, that would be ideal for me.

Marwan ALshawi · ‎08-26-2011

i think you need to re think about your VPN setup and design

first consider the following

1- voice need to go to callmanager for signaling > this will be from each remote site to the hub site where CM located

2- media traffic of voice need to be direct between sites ( it can be indirect going through the hub but this will involve bandwidth consumption on the hub site and high latency for voice calls )

3 number of remote sites and how many tunnles you need per site not to mention how hard to manag it when you want to add or remove new site

my recommendation for you is to use DMVPN, because with DMVPN you can meet all the requirements of your network

1- signle multipoint tunnle for all sites

2- ability to provide spoke to spoke direct and dynamic tunlling and communications for voice needs

3- more scalable and managable for large VPN deployments

4- you can run routing over this mGRE tunnels and protect it with IPSec

however you need to use Routers only as it is not supported on Cisco firewalls, i believe most of your sites are using router

bellow is a while paper about this technology if you are willing to go with this approach let me know and i can help you in with it

DMVPN Design

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html

HTH

if helpful Rate

Marwan ALshawi · ‎08-26-2011

one more think

with Cisco Voice you need to aline your setup with the Cisco Callmanager call admition control CAC and this need to reflect the actual bandwidth available for maximum number of calls to and out of each site ( you need to discuss this with voice designer ) with DMVPN you will be able to make it happen while with normal site to site it will be very hard to to control it as you need to know if the call gose direct or through the hub and it will be something called topology unaware CAC

HTH

Tim Butters · ‎08-26-2011

I had a recent experience where I had to sit down and think of a scaleable VPN strategy for the company I work for. I went through all options from the basic crypto map to DMVPN's.

I went with VTI's - this documentation helped me loads:

http://inetpro.org/wiki/Hub_and_Spoke_VPN_with_VTI,_dual_hubs,_spokes_with_redundant_internet_access

muranskycotech · ‎08-26-2011

I'm curious... I always believed that CM is contacted for the call routing and setup, but then everything is direct from phone to endpoint (phone, voice gateway, etc.). If that's the case, I would think that Call Manager wouldn't require that much bandwidth consideration. Based on my routing plans, outgoing calls would always be remote to home (and consequently home to remote), except for the limited remote to remote scenarios.

FWIW, I do plan on a second install of CM at the home office site next year which will definitely improve this. Also, I will have a multi-gigabit fiber connection between home and the remote site hosting Call Manager within the next few months, so that will reduce impact as well.

Marwan ALshawi · ‎08-26-2011

But vti dose note scale like DMVPN especially for spoke to spoke for VoIP

Vti for smaller deployments, large one need more scalable and manageable solution

Sent from Cisco Technical Support iPhone App

muranskycotech · ‎08-26-2011

Thanks for all the feedback so far!

So, first of all, I'm posting the configuration files for Home Office ASA, Remote Site 1 ASA, and my 881 config. The 881's will be identical aside from IP address assignments (I'm following a 10.10.x.0/24 scheme). Feel free to take a look at them and provide any ideas or tips.

As I've said, I've not dealt with WAN connectivity much, so I'm sure many of you will look at these and cringe, lol. Like I said, I'm open to changing it if there's something I can do to make it more efficient. All I ask is that any advice be accompanied with some command examples to demo what you're saying, so I can learn from them.

I know that managing this many sites is going to be a challenge, so if there's a way to simplify it, that's fantastic. I am already attempting to cookie-cutter it as much as possible.

All sites involved DO have static IP addresses, and for sake of argument, bandwidth will NOT be a major issue aside from the home network... each site will have exactly 1 computer and 1 phone, and the computer will not be able to web surf, so not like a major amount of bandwidth is going to consumed. (The computer will never do more than periodically upload text files.) Also, voice calls from remote to remote will not be "heavy" volume... more like occasional, brief calls. Only the home network should experience a significant amount of bandwidth consumed, but by year-end Home and Remote 1 are going to be joined on a multi-gigabit fiber loop, and they'll have plenty of internet bandwidth as well.

It sounds like DMVPN might be the best idea for me to consider, but from what I'm understanding, it sounds like I won't be able to keep the ASA's in the design. However, if I consider moving to the DMVPN design with routers in place of the ASA's, what additional licensing/cost would be associated?

Marwan ALshawi · ‎08-26-2011

again you are in the design phase and it is better for you to make the call from now as later it will be harder to transition because sites will be production and you need to change the design and the firewall has to be out of the VPN picture when you move to DMVPN

i advise you to plan it from now, and about the license required as long as you have the security license with the new ios 15.x you should be ok

i had quick look on your remote end config the 881 it look ok, but think about if you add any new network you need to about many ACLs, VPN ACL, NAT ACL

you could also use the 881s routers as client and the hub site as server so you do not need many static tunnels in the hub ASA

agin not the right solution for you

so fo voice you are right the signaling only gose to callmanager, unless the remote sites uses the PSTN gateway where callmanger located, but you need to make sure in you voice design that music on hold to be configured in the local gateway so that music on hold will not go through the VPN for media stream from CM

and static VPN tunnels will not help you to have spoke to spoke see the bellow example of ASA and spoke to spoke communications ( it still go through the hub site )

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

HTH

pls rate the helpful posts

muranskycotech · ‎08-26-2011

Thanks for the follow-up!

If I understand correctly... if I use my 2911 router at home office (which will have its own PRI module and IOS-based MTP for MOH) for a DMVPN hub, and then configure my 881's as DMVPN clients, that sounds like it would achieve the results I'm looking for, correct? Will I have any issue in terms of the number of connections? I will have 55 initially, and it's only going to increase (probably 70 by end of 2012). The 881's have a limit of 20 connections, so that could be an issue unless DMVPN is a "concurrent" scenario in which it's only used as-needed (or unless that limit is based on using it as a hub instead of client). I'm not clear what (if any) limits the 2911 router has. Remote-to-Remote probably wouldn't be an issue, but with all of them phoning home to CM and the voice gateway, they might hit a limit on that end if the 2911 is limited.

Also, the only thing these remote sites would need access to additionally is CM at remote site 1 which is where the complication appears to be for me. That's only accessible over L2L right now, and I cannot change that site at this time. This is also true of my other 5 existing L2L sites. Changing them is not going to be an option for me. I have a fiber build planned that will integrate my home office and remote site 1 on the same network, but that's at least 3-6 months away, and I need my solution sooner.

So in the interim, ideally, while it seems I can solve the remote-to-remote communication issue, I still need a way for the DMVPN to access CM via an L2L VPN, since I can't change my remote site network right now. That, or I have to include the cost of adding an additional Call Manager server at my home office (which probably won't go over well).

Summing it all up, I can pretty easily use DMVPN to solve everything except accessing CM itself. For that, my home 2911 will still need to L2L back to my Remote 1 ASA, and then I need what-- a route?-- to send the appropriate DMVPN traffic in that direction for CM, and my Remote 1 ASA will need some additional config for the return trip. Assuming that's correct, and I'm OK on the 2911's ability to handle all the DMVPN connections, is this something you can help me with specifics?

Marwan ALshawi · ‎08-26-2011

Can u post a diagram depict what you just described

Sent from Cisco Technical Support iPhone App

muranskycotech · ‎08-27-2011

Attached as a 4-page diagram showing, and I think I've decided on a plan of attack on this...

-- Network as it is today.

-- Phase 1 implementing system at my corporate office exclusively. This can take advantage of my existing setup without issue and buys me the time need to implement my fiber between home office and remote office, and reconfigure for DMVPN.

-- Phase 2 implementing the fiber and network redesign for DMVPN and router emphasis.

-- Phase 3 implementing my new remote sites.