cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4493
Views
0
Helpful
9
Replies

Cisco ASA Site to Site VPN with routers on inside

Joshua D4
Level 1
Level 1

I have been asked to setup a site to site vpn to connect two remote offices.

We have two ASA 5510's, one on each side.

I can get the two ASA's setup and setup the VPN and have everything work like it is suppose to. Traffic passing from local network to remote network.

However, I have been asked to add two secure routers to the setup. One secure router between the local network and the ASA, and the other the same on the other end, between the remote network and it's ASA

Essentially, just like this:

LAN---------------------Router-------------------------ASA----------------ISP-----------ASA-------------------------Router---------------------------LAN

192.168.1.x   (inside 192.168.1.1)        (inside 10.0.1.1)               (inside 10.0.2.1)            (inside 192.168.2.1)          192.168.2.x

                          (outside 10.0.1.2)           (outside public ip)             (outside public ip)          (outside 10.0.2.2)

I don't understand how this is suppose to work. I can get each side configured so that the clients on the inside can get out to the internet.

A local client using the inside interface of the router as the gateway, the router then sends by route this traffic to the ASA's inside interface which then forwards the traffic to the default route/gateway of the ASA to the ISP gateway out to the internet.

However, when I am thinking about the VPN I don't understand how it is suppose to work. Because the LAN address get's translated to the outside address of the Router which is 10.0.0.2, so that it goes to the ASA inside address 10.0.0.1. If I were to ping an ip address of the other LAN, it shows up as coming from 10.0.0.2 which wouldn't be part of the VPN traffic, since the VPN traffic is the local addresses as it was setup with just the two ASA's. I don't see changing the VPN traffic to the 10.0.0.0 network working because the clients on the remote network have 192.168.2.x addresses. While the ASA and router can translate from 192.168.1.x to 10.0.1.2 to the internet and back will work, I don't see requesting a connection to 192.168.2.x from 192.168.1.x working).

If it matters, one router is a cisco 1841, and the other an hp 7102dl.

I don't really understand why, but they just want to have the routers used in the setup. Whether it is on the inside or outside of the ASA, it doesn't matter.

Can someone help me make sense of this please?

9 Replies 9

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Would be interesting now why anyone would want to put a device doing NAT behind an ASA. If it was just routing traffic without NAT it wouldnt be that bad. Does the routers need to have NAT configured?

You haven't been given any reason for adding the routers? Do they serve any purpose at the moment ? do they provide any real service(That the ASA couldnt provide)?

- Jouni

I don't really understand the reasoning either, sorry for not being able to explain that. I suppose it doesn't have to NAT on the routers, it is just the way I was able to get traffic through to the ASA. That may be where I am missing the point, in trying to get the routers to not NAT the traffic. Would I just set them up as bridges? Wouldn't this negate the point of them being there?

Thanks

Hi,

I dont understand in the first place why there are routers behind the ASA. But then again I don't really know what kind of network was behind ASA before the routers

How many users are there behind the ASA on each site? Is there a big L2 switch network behind the ASAs?

A router doesnt have to do NAT to function as a router. You can just have the router pass traffic forward to the ASA as it is (without NATing the actual LAN network) Then again if the routers were doing this, one would have to ask what is the purpose of the routers? What do they provide for the network that the ASA itself can't do.

If you need to create several Vlans with own networks and need routing for them, ASA can do that also and you wouldn't have to add a router to the network as a L3 device. Though I guess this isnt the situation here as you have only mentioned one network per site.

- Jouni

Hello,

I do agree with Jouni....

All you need to do is to use static routes on the ASA to let him know how to get to the newtork behind the Router and then put that network into the NO_nat configuration and the crypto ACL.

That is all that needs to be done.

In fact it is a really normal scenario... DO  not get confused, you do not need to use nat as you are inside your network and you will be using private ip addresses.

Let me know if you need something else.

Regards,

Julio

Cisco Security Engineer

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.g.white
Level 1
Level 1

If you had been asked to set up a gre tunnel between the routers this would make sense (but not with NAT)

E.g.

LAN - router - firewall - asa - firewall -Internet - firewall - asa - firewall - router - LAN

Set up IPSec between the asa devices to provide a secure tunnel across the Internet

And then set up gre between the routers to establish a virtual point to pint connection to enable dynamic routing

If you don't have firewalls using a gre tunnel between the routers still makes some sense

Sent from Cisco Technical Support iPad App

Hi Julio,

To set it up the way you mention would I keep the ip addresses the same or would I need to change them?

Also, in response to everyone, would setting it up using gre tunnel allow for some clients to still just go straight out to the internet as well as to the "other side" remote lan?

I appreciate everyones input very much.

In response to Jouni, yes there is a big L2 switch behind the ASA's, which under the new setup there would be a router between the L2 switch and the ASA.

This may be an important part I don't understand, but on the router, unless I nat the inside traffic to have the address of the outside interface on the router, then no traffic goes through. I just get messages from the router saying unable to determine destination route seemingly regardless of what static routes I put on the router, but maybe I am just not configuring the static routes correctly.

Hi,

Personally I would leave out the routers alltogether if possible.

That ofcourse depends on who is demanding them in the network. There are some customers for example that just insist on putting their own NAT/firewall/router boxes behind out DSL lines even though we provide them with Firewall service. (So you basically end up with 2 devices doing PAT and firewalling )

Or at the least remove any NAT function from them.

Routing should be very simple. The router should see both its inside and outside link networks as connected networks on its routing table. Adding a default route pointing towards the local ASA interface IP should handle routing for all the traffic.

Also I dont know why you would need to configure GRE. Wouldn't that just needlesly complicate the network configurations/setup.

- Jouni

rhienwei2010
Level 1
Level 1

If the NAT has to be done on the router rather than the ASA, then at least at on side(destination side), you need to do statics NAT on the router.  Concerning the VPN link is transparent to routers, so two NAT routers to talk to each other, one must do statics NAT. 

It's okay to have the NAT done on the ASA as opposed to the router. One problem I am running into right now, seems to be very simple but somehow I am missing the correction.

I have the router connected to the LAN, with an inside ip address of 192.168.1.1 and an outside address of 10.0.0.2. The outside port is connected to the ASA's inside port 10.0.0.1. When I have the way the router wants to be setup by default which is having the inside network NATted to the outside port's address. I can get out to the internet and ASA just fine. The minute I take that NAT translation away, I stop being able to reach 10.0.0.1, can't ping it or anything. I have console logging enabled on the router, and it doesn't give me any information as to why the connection isn't making it.

With and without a static route configured on the router, I can't get any traffic to 10.0.0.1. The static route I have had on there is 0.0.0.0 0.0.0.0 10.0.0.1 static 1.

The ones created automatically are:

192.168.1.0 255.255.255.0 0.0.0.0 Connected 0

10.0.0.0 255.255.255.0 0.0.0.0 Connected 0

Sounds like this should be simple to get the traffic to go through the router, but I am unable to.

Any ideas?

Thanks for the help