So you have a dedicated link

Caleb Hubbartt · ‎02-04-2015

I have been tasked with coming up with a way to offload some of our WAN traffic to Site to Site VPN tunnels. I know the response that I would give when asked about this is simply upgrade your bandwidth. Unfortunately that is not an option (on a state government budget)

Attached is a diagram of our basic setup.

I would like to know if this is even possible. Basically they want to send some traffic out the VPN tunnel instead of across our slow WAN connection. The traffic being sent out the VPN tunnel would ideally be classified by TCP/UDP ports. If that's not possible would it be possible to do by source/destination IP? They also mentioned they would like this to be only active at a particular time of the day.

I'm just looking for some guidance here. Is this possible? Is it feasible?

Karsten Iwen · ‎02-04-2015

When configuring your VPN, you use an ACL to define which traffic will be protected and which traffic gets send unencrypted. Together with the routing you can configure that some traffic will flow over the VPN and other traffic will flow over the WAN.

You shouldn't take the approach with TCP/UDP ports or time-ranges. Still you will face some challenges in that design as you have to make sure that the ASAs with the VPN will see both directions of the traffic. Or you have to disable the statefull inspection for the VPN-flow.

Are the two routers IOS-devices that have a security IOS/License? An easier solution could be to build a VTI-based tunnel between the routers where you have much more flexibility then with the ASA. The ASA is more or less the wrong device for the right job.

Caleb Hubbartt · ‎02-05-2015

Thanks for the info guys. That gives me some good starting points.

So let me throw this out there....

What if I have a server at a branch remote site and I would like some of the traffic originating from that server to go out the WAN interface and some of that traffic to go out the VPN tunnel on the internet? The only real way to do that would be some sort of classification by port or I guess possibly destination IP.

The routers are running c2801-advsecurityk9-mz.124-25d. So I'm fairly certain they'd be able to do VTI based tunnels? Does it make a difference that they are "behind" the ASA in regards to the internet?

David paull · ‎02-05-2015

Needs clarification.

You have a dedicated circuit, that is independent from your ISP connection?

This dedicated circuit is used to communicate between your location and another site?

Going to the internet, you have a router, then your ASA?

Your diagram is painting a different picture than what I am interpreting your words to be relaying.

Can you provide a more thorough diagram of your network?

Caleb Hubbartt · ‎02-06-2015

I'm not sure what else you are looking for out of my diagram. I can't share too much beyond that.

You have a dedicated circuit, that is independent from your ISP connection?---YES

This dedicated circuit is used to communicate between your location and another site?--YES

Going to the internet, you have a router, then your ASA?--YES

David paull · ‎02-06-2015

"The routers are running c2801-advsecurityk9-mz.124-25d. So I'm fairly certain they'd be able to do VTI based tunnels? Does it make a difference that they are "behind" the ASA in regards to the internet?"

Your diagram does show your router behind your ASA, sort of, depending on where your office resides. But you're talking about your routers being responsible to perform peering capabilities between eachother.

Why does your 5505 not perform the peering relationship with HQ 5550 and each ASA device then terminate the tunnel?

"Going to the internet, you have a router, then your ASA?--YES"

--

Where does your company reside on that diagram? If it's off the router, why do you have an ASA 5505 facing the internet, THEN a router? Basically your diagram is either completely backwards or unnecessarily redundant...which signifies to me that either the person that built the network did something wrong or the person that drew the diagram didn't interpret the network properly.

"I'm not sure what else you are looking for out of my diagram. I can't share too much beyond that"

I'm just looking to help -- and want to ensure that I'm looking at an accurate picture of what you're working with, which I don't feel is being presented to me.

Caleb Hubbartt · ‎02-06-2015

I understand the source of confusion now.

Yes there are internal LANs connected to each router. So onthe router.

int1 is LAN

int2 is path to ASA

int3 is path to wan

So I didn't indicate the LAN in the diagram. Sorry in my efforts to oversimplify I didn't provide enough info.

Karsten Iwen · ‎02-06-2015

Sending the IPsec-traffic through the ASA is no problem if you don't terminate IPsec-sessions on the ASA. Or you need an additional public IP for the inside routers on each ASA.

The rest would be pure IP-routing which traffic you send directly over the WAN and which traffic you send into the IPSec-tunnel-interface.

Caleb Hubbartt · ‎02-12-2015

So I been brainstorming about this and have some things I'd like some input on...

I think ultimately we will need to "direct" traffic based on tcp ports, so I was thinking that I might be able to implement policy based routing on my router to send the specified traffic out the correct interface based on TCP port #.

Is this a feasible solution?

David paull · ‎02-04-2015

So you have a dedicated link between your branch office and your headquarters?

And that connection is slow.

Yes. You can treat certain traffic flows differently than others.

Put a static route in your router to point to the ASA. Send the traffic across the tunnel through the internet to your headquarters.

You will select the traffic to go through the tunnel based on destination ip address.

Switching it different times of the day means removing and replacing a static route in both of your routers.

Site to Site VPN to offload WAN traffic