cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
10
Helpful
4
Replies

Placement of Cisco ASA 5510 behind a DreyTek Router (DSL)

hasan0242
Level 1
Level 1

I'm trying to implement Cisco ASA (5510) into my network so that I can establish IPSec tunnel with another company that is using Cisco Equipment. Currently we are using DreyTek router connected as a DSL model and a Panasonic 16-port switch connecting all hosts (15-20 users in a small office). Unfortunately, IPsec tunnel between other company's Cisco router and our DreyTek router didn't work and had a lot of issues. So, want to use Cisco ASA for our network for smooth IPsec tunnel. 

Current Setup: DSL --> Dreytek Modem --> TP Link 16-port Gigabit Switch --> Internal LAN

I'm trying to use Cisco ASA 5510 to establish IPSec tunnel.
So, should i place the Cisco ASA like below: DSL --> DreyTek --> ASA 5510 --> TP Link 16-port Gigabit Switch --> Internal LAN

What would be the best way to achieve this without disrupting the network? 
Is the topology that I'm suggesting is the best way to do this? I'm including a network diagram for reference. 

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Thank you for the diagram. I would say that placement of ASA is appropriate. The diagram shows 192.168.1.0 network connecting ASA to dreytek and network 192.168.2.0 for management. It also shows a LAN. What is the network of the LAN?

It would help if we knew more about configuration of dreytek. In particular does it have routing information for all networks behind the ASA? And does dreytek have any network address configuration for inside networks.

With the ASA placed like this you could configure a site to site vpn for inside devices to access the remote site. You could also configure address translation for inside devices accessing the Internet, In the nat configuration you would want to exempt any vpn traffic from being translated. If there is currently configuration of nat on dreytek you would want to remove it and use nat on ASA.

It is not possible to implement this without some disruption to the network. So you would want to implement this in a maintenance window.

HTH

Rick

Hi Richard, thanks for your reply and sorry about the delayed response. In our current setup, LAN is behind the TP Link switch (Diagram mentions Panasonic switch and it's a typo). The LAN Network is 192.168.1.0/24 and currently all devices are routed through TP Link Switch > DreyTek router. 

I haven't yet placed the Cisco ASA behind the DreyTek yet, want to check all avenues not to disrupt the network bofore I make any changes. So, if I understand it correctly, ASA inside will have NAT except for VPN traffic. and DreyTek will just route the info out, which will be Outside of ASA (considering that I should remove NAT on DreyTek). 

Thanks again for the explanation. It is becoming clearer to me. 

I agree wih @Richard Burts . The proposed topology looks good. Just out of curiosity, and since it is always a good idea to keep an eye on the financial implications of buying stuff (meaning, the ASA is expensive), what exactly were the problems with establishing the IPSec/VPN tunnel between the Cisco and the Dreytek ?

Hi @Georg Pauwen, sorry about the delayed response. I bought the ASA 5510 on a trial basis to test my knowledge and check if it can be beneficial to the company. If I can get the traffic flow and establish IPSec tunnel, we can go ahead purchasing enterprise level Cisco ASA for our R&D-based small office. 

I assume the problems were associated with NAT, when establishing IPSec tunnel between the DreyTek and Cisco.

From our DreyTek side, we couldn't ping the remote network, and the Cisco ASA on the remote side showed gibberish IP address, so it didn't establish the tunnel. We checked IKE config between the devices, it was matching. But, no connection was establish though ASA could ping the remote network behind DreyTek. 
ASA Log showed something like this: 

IPSEC: Received an ESP packet (SPI= 0x516DDAE6, sequence number= 0xA0) from 60.242.177.122 (user= 60.242.177.122) to 203.27.179.166.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 3f50:4be3:3c93:18e1:2418:b8da:7b8d:2198, its source as 8845:9635:6396:af97:7782:bb1d:974f:b26d, and its protocol as 255.  The SA specifies its local proxy as 192.168.67.0/255.255.255.0/ip/0 and its remote_proxy as 192.168.68.0/255.255.255.248/ip/0.

Review Cisco Networking for a $25 gift card