cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
0
Helpful
10
Replies
Highlighted
Beginner

Suggestions for tunnel configuration

Hi, 

 We are trying to setup a tunnel between Location A and B (see diagram) to pass some traffic since our MPLS bandwidth is limited. However, I am not an expert at this type of configuration so I need help from the community. I am sure that more questions are going to come up as this evolves but this is it for now:

  • What type of configuration (GRE, VRF, etc) do you suggest? And, Where should I terminate this tunnel (Firewall, 6509)? 
  • I was thinking to route this traffic based on destination since I have a clear understanding of where it should go but I am open for suggestions?

 

For you to know: 

6509 is running EIGRP with static route pointing to MPLS. No redistribution here

Remote locations do not have a routing protocol currently

Two Vlans are configured at the remote location 1.1.1.1 and 2.2.2.2

 

Thanks in advanced. 

Ralph

10 REPLIES 10
Highlighted
Hall of Fame Guru

Ralph

Do you mean create the tunnel over the internet ?

Jon

Highlighted

Yes. 

Highlighted

If it just one tunnel then IPSEC L2L would be my choice and from the firewall not the 6500 as it won't support it without a VPN module.

I am assuming both the firewall and router at the remote site can support an IPSEC tunnel.

If you want to pass routing updates across then you may also need GRE but you could keep it simple and use static routes although then you may need to use IP SLA for tracking.

You say you have specific destinations you want to route traffic to from the 6500 so it should be easy enough from that end but you also need to ensure the remote site sends the traffic back via the VPN tunnel.

Which means either the source and destination IPs need to be specific or you would need to use PBR at the remote end ie.

if the source IPs from Building A can use either the MPLS link or the VPN depending on the destination IP the remote end will have no way of knowing which link to route the traffic back on without some additional configuration.

Jon

Highlighted

I have a set of users that are using Citrix and they should use the MPLS to reach location A while the rest of the users should use the tunnel to get to resources located at location A. I probably have to add another VLAN in location B to capture the traffic and send it through the tunnel. I think is a good idea to use EIGRP to do the routing and failover.

My next question is that I have a proxy behind the ASA so, how do I send the Internet traffic in and and back out in order to get filtered?

Highlighted

My next question is that I have a proxy behind the ASA so, how do I send the Internet traffic in and and back out in order to get filtered?

Do you mean for the non citrix traffic at location A ?

Why would you want to proxy that traffic ie. normal internet yes but traffic between the sites via the tunnel I wouldn't have though it needed to be sent to the proxy and if it is not http/https etc. then your proxy probably won't know what to do with it.

Perhaps I have misunderstood ?

Regarding using EIGRP for routing bear in mind firewalls don't usually support GRE so this may or may not be an issue for you.

Jon

Highlighted

Hi Jon, 

 the traffic being filtered is Internet traffic. Location B users need to go to the Internet through location A. Now, I understand that the ASA doesn't support GRE but what about letting the traffic (GRE) pass throught the ASA and use the 6500 as tunnel endpoint? Is this a bad practice?

Highlighted
Beginner

I'd recommend an ipsec tunnel.  If terminating on a cisco router use VTI, if terminating on the firewall use that firewall's ipsec capability.  You typically don't want to tunnel in GRE which exposes your internal data in the clear out on the internet.

 

The answer to where you terminate a ipsec tunnel transversing the internet path, typically involves the question of where are the NAT boundaries on your network.  (Assuming, like most of us, your internal network is on private RFC 1918 address space).

 

Can your "ISP Modem" even terminate a ipsec tunnel?  It's doubtful.  And your ISP Modem probably does your NAT for Building B.

 

You might not have the hardware you really need to set up what you're talking about setting up.  Put another firewall handling the internet connection at Building B and you're in a much better position to do this.

Highlighted

I just confirmed that the 6500 does support GRE as well as IPSec and PBR so I can do this tunnel endpoint-to-endpoint with no issues. Am I correct? Do you have any suggestions about this or any other setup?

Highlighted

I mean the issue is, even if your 6500 can terminate a tunnel - it only has private internal ip addresses right?  Not world-routable public IPs.  Therefore, the far end of the tunnel cannot even target the 6500 with isakmp to bring up a ipsec tunnel.

 

I definitely would not use GRE.

 

You could use PBR but that might be extra complex, unless you intend on transmitting one type of dataflow over one path and another over the other path.  An IGP might do everything you need.

Highlighted

I have a few more questions though. 

 

In terms of the 6500 not having any word-routable public IPs, is there any way to do a NAT on the firewall and let the isakmp pass-thru as I currently have with some of my DMZ routers. Our firewall is not running any IGP so you would you go about doing this? 

If it is not too much of an effort, can we talk in terms of configuration examples? Do you have any idea on how to get this accomplished? 

Location B - Subnets

2.2.2.2

 

Location A - Subnets

1.1.1.1

3.3.3.3

0.0.0.0

Thanks.