Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
3
Replies

Using a VPN tunnel on a router OUTSIDE our ASA

rweir0001
Level 1
Level 1

‎06-14-2017 07:03 AM

I have a VPN tunnel built off our ASA to a firewall at a Disaster Recovery (DR) site. The VPN itself works fine, but during backups we have some application slowness issues. It has been suggested that I should build the VPN tunnel off our OUTSIDE Router to the DR Firewall. This router would be the next hop for our ASA, so it essentially sits between our ASA and the DR firewall. My issue with this is that my protected network that needs to go over the VPN tunnel sits BEHIND my ASA. So, if I built a VPN tunnel between my OUTSIDE Router and the DR Firewall then traffic coming from the protected network at the DR would travel over the VPN to the OUTSIDE Router, but I don't think that I could get that traffic through the ASA. The ASA will just see the traffic coming from the OUTSIDE Router, but it sees ALL traffic coming from the OUTSIDE Router, and that traffic would no longer be encrypted in a VPN. Sure, I could build another VPN tunnel between the ASA and the OUTSIDE Router, but that would defeat the purpose of building a VPN from the OUTSIDE Router to the DR Firewall in the first place, and would probably cause some other connectivity issues. 

I have attached a oversimplified diagram to this case (for whatever reason I can't just copy and paste it to this text box which is kind of irritating). Here is my explanation about what I'm trying to do and why I think it won't work:

1.) Our ASA has an outside interface IP of 1.1.1.1

2.) The OUTSIDE Router has an interface with an IP of 1.1.1.2 that is directly connected to the ASA

3). The OUTSIDE Router has another interface with IP 2.2.2.2 that has a VPN tunnel to the DR Firewall with an IP of 2.2.2.1

4.) The protected network BEHIND the ASA that must go over the VPN tunnel is 192.168.1.0/24

5.) The protected network BEHIND the DR Firewall that must go over the VPN tunnel is 10.0.0.0/24

6.) Traffic traveling to the DR Firewall subnet of 10.0.0.0/24 would have to be routed from the ASA to the OUTSIDE Router at 1.1.1.2. The OUTSIDE Router would then have to place that traffic on the VPN tunnel to the DR Firewall whose Peer IP address is 2.2.2.1

7.) Return traffic from the DR Firewall subnet 10.0.0.0/24 going to the ASA 192.168.1.0/24 subnet would have to be placed on the VPN tunnel and sent to the Peer IP address of the OUTSIDE Router 2.2.2.2.

8.) The OUTSIDE Router would have to forward those packets (which would no longer even be encrypted in a VPN tunnel) to the outside interface of the ASA 1.1.1.1

9.) The ASA would just see traffic coming from it's next hop, the OUTSIDE Router 1.1.1.2 address, and would most likely just drop it, right?

I'm sure that there are lots of issues with this scenario, but I'm essentially just looking for someone to confirm that building a VPN tunnel off an OUTSIDE router to a remote location makes no sense if one of the protected networks sits behind a local ASA. I leave open the possibility that there are things that I may not be thinking about that would make this plan feasible, so if you know a way to make this VPN tunnel between the OUTSIDE Router and the DR Firewall workable for devices behind the ASA then I would love to hear your suggestions, too. 

Labels:
Preview file
77 KB
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-14-2017 09:17 PM

Is the slowness being caused by circuit congestion?  If so, it wont make any difference terminating it off the router instead of the ASA.

0 Helpful

rweir0001
Level 1
Level 1
In response to Philip D'Ath

‎06-15-2017 06:35 AM

Philip,

There doesn't appear to be any circuit congestion. There is no high memory, or CPU on the ASA. There is also no errors on any interface in the path. There is really no indication of an issue other than the applications, which are in VMWare Horizon, being very slow when the backups are running. A Cisco Support engineer suggested that it was possibly due to reduced throughput on the ASA where we a running a few VPN tunnels. We haven't been able to really verify that, yet. Being able to run the VPN tunnels off another internal device, like a VPN concentrator or something, would be a good test but we don't currently have a device we can use. Like I said, I don't think running the VPN tunnels off the outside router will work for a few different reasons but would like to get the input of others. 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to rweir0001

‎06-15-2017 12:19 PM

What model ASA do you have and what size circuit have you got?

Are the users talking to servers in the DR site as well?

0 Helpful
Customers Also Viewed These Support Documents