Solved: Thanks for the update. I am - Page 2

brandonbittinger · ‎11-24-2016

Hello all,

I am looking into using a router at a remote site and a router at a the main site behind an asa to create a VPN using Virtual Tunnel Interfaces on each router. I plan on securing the tunnel with IPSec.

I am not 100% sure how the Virtual Tunnel Interfaces work. I know I can secure them with IPSec but I also know you can use GRE and secure the GRE tunnel as well.

My question is what ports will need to be forwarded through the ASA in order to allow the tunnel to connect through it?

Any help is greatly appreciated!

brandonbittinger · ‎12-03-2016

Just to give everybody an update, I set everything up on Thursday. The router configuration went very quick but I spent some time stumbling through the ASA to get the NAT rule right... But I got it!

I went to the remote site and ran a continuous ping to a device on the other side. I pulled the Metro E cable from the router two packets dropped and then everything cut right over to the VPN almost seamlessly. When I plugged the Metro E back in a few seconds later everything cut back over without any intervention on my part.

Obviously this is a substantially slower connection with a lot more latency. I could tell when it cut over because the latency on the ping went form 1ms to 25-30ms, which is still reasonable all things considered. I was expecting to get about 10-15Mbps throughput since I am dealing with Comcast cable connections on both ends that are unfortunately limited to about 10-15Mbps upload. My speedtest came back with the expected results.

Although the connection is a bit sluggish it will serve its purpose if/when an incident occurs and is better than nothing at all. It is also a ton cheaper than having an alternative Metro E line from another ISP.

Thank you both for your substantial contributions to my project! You guys where a lot of help!

Richard Burts · ‎12-05-2016

Thanks for the update. I am glad to know that you did get it to work and that our suggestions were helpful in the process.

HTH

Rick

HTH

Rick

Richard Burts · ‎11-26-2016

I did a project for a customer where we were doing VTI between routers and one router was behind a firewall (not clear if the firewall was an ASA or something else) and they were doing a static one to one NAT. So your implementation should work. We did not control the firewall and I am not clear whether they just permitted traffic through for the natted IP or whether they locked it down more tightly. I would think that in addition to ISAKMP (UDP500/4500) you would probably also need to allow ESP (protocol 50).

HTH

Rick

HTH

Rick

Karsten Iwen · ‎11-26-2016

Hi Rick, I wouldn't assume that there are any devices out there that are not doing NAT-T. In that case the ASA won't see any ESP (IP/50) traffic as it's encapsulated in UDP/4500 from the beginning.

Richard Burts · ‎11-26-2016

Karsten

Very good point. +5 I withdraw my suggestion about needing to permit ESP.

HTH

Rick

HTH

Rick

brandonbittinger · ‎11-26-2016

Thank you for the input Richard. This is my alternative plan to the issue you where assisting me with prior.

Does this seem like a simpler and more effective plan than what we discussed previously about creating a tunnel directly to the ASA?

Richard Burts · ‎11-26-2016

It does seem more simple and effective and especially it would allow you to run EIGRP through the VTI tunnel and then you would not need the floating static routes.

HTH

Rick

HTH

Rick

VTI with IPSec behind ASA