At our company HQ we have a small block of public IP addresses. Currently using only one of them, configured as the gateway IP address on the network edge. We run in-house Exchange which utilizes port 443 for incoming connections to the webmail client. I would like to deploy the Cisco SSL based VPN, but the standard port is already in use. My goal here is to use port 443 for two different roles, differentiating by using different public IP addresses.
Is this a scenario where some form of VPN-on-a-stick could allow remote users to connect over VPN to the HQ internal LAN on a different public IP from that which is in use on the HQ network gateway?
Or, is there a single-chassis configuration which will allow the remote VPN users to terminate on my current edge router utilizing a secondary WAN IP address?
The edge router is a Cisco 2821 running "advipservicesk9-mz.151-4.M4". It performs both NAT and firewall with some port forwarding, as is typical for small & medium networks.
I happen have at least three additional chassis available to deploy for the VPN role if needed. One is a 1921-K9 with security bundle, one is another 2821 with the same OS as above (Adv IP), and a third is an ASA5505.
Happy to provide sketches, configs, or more detail if needed. Hope this is clear. I have to believe there is a solution to running two services on the same port number within one enterprise. I just don't know how to lay that out.
Note of caution I'll give about hairpinning on Cisco routers - it comes with a significant performance hit on the 2800 series. This occurs for all traffic being NAT'd, not just the traffic actively using the hairpin.
Are you using DNS? Might want to look in to DNS tricks in order to avoid the need to hairpin.
If you have two public IPs, then terminate the VPN on the interface-IP of the router and use the second IP for your OWA.
Thanks to all for the replies. FWIW I am forming a roadmap this year for hardware upgrades as budget allows. Meanwhile the vendor I get my refurbed hardware from offers their own next-day replacement guarantee, so that helps with the EOL issue somewhat, and I keep a spare chassis on hand for emergencies. I do realize that this does not help with IOS security patches. I had device coverage up until end of support and am running the 15.1(4)M4 release.
Essentially we utilize too much bandwidth and have too many concurrent NAT translations to run any of the smaller boxes as the gateway. This is why I moved from the 1921 to the 2821 in the first place, despite it being older. We have around 100 hosts on the LAN plus access to wifi for users who BYOD (smartphones, visitors, etc). Typical daily host count is around 150. ISP supplies 100Mbits down and 50 up. Even the 2821 hits 100% CPU on large downloads. I looked at the spec and it doesn't look like the ASA5505 could handle that bandwidth with NAT and firewall enabled. The 1921 certainly could not. Please, correct me if I'm wrong here. I'm also an IOS guy, never touched the ASA system before, so comfort level is a factor.
I think Karsten might have made the right suggestion, not sure why I did not think of that myself.
My follow-on question is this. I have not configured a secondary IP on the WAN before. Can a secondary WAN IP be configured with a static 1:1 NAT, passing a couple of ports to a host on the inside?
Also, can I still port-forward from the gateway IP alongside the 1:1 NAT on the secondary IP, to the same inside host? Currently users are on the Microsoft VPN until we complete the transition to AnyConnect and I'll need to preserve that functionality. The MS VPN terminates on the same box as the email.
Thanks again for all the input. It is greatly appreciated.
You don't have to configure the IP as secondary on the interface. Just configure your NAT-rules (1:1 NAT or for specific ports, just as you want), allow that traffic on your outside ACL and you are done.
Thank you. I will jump on my spare chassis and try to work out this config. This is probably the right answer. Meanwhile I am still interested in figuring out the side-by-side method, if that's possible. It would give me some flexibility.
ISP supplies 100Mbits down and 50 up. Even the 2821 hits 100% CPU on large downloads. I looked at the spec and it doesn't look like the ASA5505 could handle that bandwidth with NAT and firewall enabled. The 1921 certainly could not.
An ASA5505 should be able to do 100 Mbps with both firewall and NAT. I'd be more concerned about session count in your case. You'll want to do a "show version" on it to verify the inside host licenses are unlimited.
As for the 1921 it can't find the numbers on it but anything that new should be able to do over 100 Mbps. Perhaps it had firewalling enabled, or had the NAT configuration I'm warning about in the post below. If you're concerned about security patching for the 2821, used 2921s should be getting very affordable these days. We currently have several in our data center that are due to be retired next month, and they'll be sold off for around $300 each.
If it were me I'd stick to the router for NAT since that's what your comfortable with but put the ASA side by side with it and run AnyConnect.
Hi Johnny. The ASA was given to us for free by a business partner who purchased it and was unable to set it up himself. No clue what its license status is but it's also an 11 year old device. The plan is to move into a 2900 series at some point, and as you say they are readily available for not much money ($400). Meanwhile I want to get my topology and configurations ironed out so I'm not changing too many things at once.
The datasheet on the 1921 states 80 Mbps for NAT enabled, and additional services such as firewall/ACL/etc reduce that further. They show 68Mbps for NAT+QoS+ACL. THeir suggested WAN speed maximum is 15 Mbps. I'm sure it can be tuned to provide the throughput for 100Mbps, but I'd prefer to be able to run zone based firewall and NAT without a bottleneck. We also run site-to-site IPSec tunnels from time to time depending on various business factors, so I need to reserve headspace for that as well. We've had as many as three tunnels to business partners on top of our usual load.
The industry we are in is Engineering, which means lots of large file transfers and huge bandwidth requirements, especially over those IPSec tunnels. Lots of remote sessions and online meetings, screen sharing, etc.
Back to your suggestion, I certainly could run a side-by-side configuration with NAT on the 2800 and AnyConnect on the 1921 (it is licensed for that, I bought that unit new with SSL VPN enabled). This bring us back to the original question of how to configure that.
Something isn't adding up because the 1921 should be almost 2x faster than the 2821. If we're just talking regular performance numbers with no services (firewall, QoS, PAT, etc)
|Max PPS||Max Throughput (64-byte packets)|
|2821 ISR||170,000||87 Mbps|
|1921 ISR G2||290,000||144 Mbps|
That being said, services and IPSec especially will be CPU intensive, so I can't dispute the numbers on the data sheet much. Sounds like you want to at least move to a 2921/2951 or ideally a 3925 to get guaranteed 100 Mbps even with firewalling, PAT, IPSec, and QoS all enabled. Along those lines I'd point out the 2951 and 3925 have hardware-based encryption for AnyConnect and should outperform the ASA 5505. It sounds like you don't want to invest the time in learning the ASA, and if you don't need its features, that's totally understandable.
Thanks so much for the quick responses. Well, like I said I may be wrong about the performance. That's a big reason I asked the question here, there's huge value in the experience and opinions of others more experienced that myself :)
We don't actually run QoS on the router, so that helps in terms of throughput and CPU load. And it's true that comparing performance of these things is very difficult, for obvious reasons.
I could swap the 1921 back into use and monitor performance. I may have pulled it out based on what the datasheets were implying, it's been a while so I can't remember now.
One last question... I recently purchased a used 3845 for another project but did not use it, so it's available. I was not sure I could commandeer it but mgmt said OK. It has 15.1(4)M10 "Advanced Security" installed. This chassis is supposed to pass 500k pps or 256 Mbits @ 64-byte packets according to what I've read, and has on-board hardware encryption. I would expect it to be able to handle anything I could throw at it based on having nearly 2x the throughput of the 1921. In fact its performance numbers look very similar to the 2921. (Yes, I seem to have spare routers all over the place...) Does this sound reasonable? Any downsides to using this box that you know of?
One is a 1921-K9 with security bundle, one is another 2821 with the same OS as above (Adv IP), and a third is an ASA5505.
The ASA is really the best choice for AnyConnect VPN. It will support all features, while the ISR will only have partial support. Also, the ASA can do hairpinning without any performance loss.If it were me, I'd migrate to the ASA, but consider using the 1921 as well. The 2821 is end of support so it's time to get off it anyway