Announcement

Collapse
No announcement yet.

Route VPN tunnel through a specific line - ASA 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Route VPN tunnel through a specific line - ASA 5505

    Hello, I would like to use a different route for a VPN tunnel and for regular traffic.
    I have both an ADSL and a SDSL line.
    Both are plugged to different interfaces on my Cisco ASA 5505 :
    ADSL : outside - 10.1.1.1 (NAT is done at the ADSL router)
    SDSL : outside2 - 129.1.1.1 (This is a public IP)
    For the moment, all traffic goes through interface outside and the ADSL line.
    I don't use NAT since NAT is performed at the ADSL tunnel.
    I have a default route to route all traffic to the ADSL modem.
    And I have a VPN tunnel set up through this ADSL connexion, which works fine.

    In order to switch the tunnel to the SDSL line I've performed the following actions :
    - add a route to the remote peer through the SDSL router :
    route outside 0.0.0.0 0.0.0.0 10.1.1.2 255
    route outside2 183.67.41.4 255.255.255.255 129.1.1.2 1
    - delete and recreate the VPN tunnel on the interface outside2 (all other parameters stay identical) :
    access-list outside2_cryptomap_1 remark Tunnel VPN
    access-list outside2_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 partner-network 255.255.0.0
    crypto map outside2_map 1 match address outside2_cryptomap_1
    crypto map outside2_map 1 set peer 183.67.41.4
    crypto map outside2_map 1 set transform-set ESP-3DES-MD5
    crypto map outside2_map 1 set phase1-mode aggressive group1
    crypto map outside2_map interface outside2

    - on the remote peer, change the IP of the end of the tunnel from my ADSL IP to 129.1.1.1


    But then it still doesn't work :
    - When I send packets to the partner-network, they go out through the interface outside rather than through the tunnel.
    - When the remote network sends me paquets, the VPN tunnel doesn't mount. I see phase 1 related messages but that's all.

    Am I missing something or doing something wrong?

    Thanks in advance for any help.

  • #2
    Re: Route VPN tunnel through a specific line - ASA 5505

    daff42 -

    Your issue here is your definition of your static routes. You have a default route for all unknown traffic going out your 'outside' interface, and by giving it the higher AD you've created what is known as a floating static route. That's fine. The problem is that you have your other static route locked down to the host 183.67.41.4, which I'm assuming is the address of the other tunnel endpoint. What this will do for you is only send traffic destined to that specific IP out that interface, which is why you see the phase 1 begin since those packets have that address as a destination. What you need to do here is define what is known as 'interesting traffic'. This is what tells your router when to use a VPN or not, and which VPN to use. This is why your crypto maps need ACLs defined, so your router knows "ok, traffic destined for this host or subnet need to be protected and should traverse this VPN tunnel". You already have this done with your 'outside_cryptomap_1'. This is also why it is difficult to nail up VPN tunnels for overlapping subnets within an organization b/c the interesting traffic ACL matches more than one tunnel. I would return your default route back to the original AD of 1, remove the static route pointing to 183.67.41.4, and see what happens. The crypto map that contains the ACL for interesting traffic that is behind your endpoint 183.67.41.4 is already applied to interface outside2, so when there is a match, it will use that interface. Finally, I would not use aggressive mode unless you are using certificates and stick with preshared keys and main mode. Use strong keys, and use different keys on each VPN pairing. The reason for this is that aggressive mode completes in only 3 packets as opposed to 6 with main mode. In order to achieve the same results in fewer packets with aggressive mode, the payload contains more sensitive information than if you just use main mode. If those packets are intercepted, it's an unnecessary risk.

    HTH.

    Regards,
    Scott
    Scott Pickles
    Systems Engineer
    VPN Systems, Inc.
    www. vpnsystems. com
    *******************
    CCNA - CCDA - BCMSN

    Comment


    • #3
      Re: Route VPN tunnel through a specific line - ASA 5505

      Thanks for the detailed answer.
      183.67.41.4, as you correctly assumed, is the IP of the other tunnel endpoint.

      One question though : if I remove the route to 183.67.41.4, how will it figure that the next hop from interface outside2 is 129.1.1.2 (which is the IP of the SDSL router) ?

      Regards,

      Comment


      • #4
        Re: Route VPN tunnel through a specific line - ASA 5505

        daff -

        It 'figures out' which interface to go out in order to reach the endpoint 183.67.41.4 based on your crypto map. One of the most difficult things to understand about Cisco firewalls is the rather convoluted way in which the device is built from the ground up. It can be confusing to understand all of the pieces, but by building it in scalable pieces, it allows for easy re-use of components put together in different ways to create the functionality you want. This allows the firewall to be highly scalable. So following the logic once more:

        1. Define the interesting traffic that needs to be protected in a tunnel (i.e. anything from 192.168.0.0/24 destined for the partner-network/16 at the other site). This is done with your ACL:

        access-list outside2_cryptomap_1 remark Tunnel VPN
        access-list outside2_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 partner-network 255.255.0.0

        2. Pair this definition of interesting traffic with the crypto map (transform set, etc. governing the protection of the traffic destined for that site). This is done with the line:

        crypto map outside2_map 1 match address outside2_cryptomap_1

        The rest of the crypto map, as I said, is the transform set governing encryption and integrity, the peer, main/aggressive mode, etc.

        crypto map outside2_map 1 set peer 183.67.41.4
        crypto map outside2_map 1 set transform-set ESP-3DES-MD5
        crypto map outside2_map 1 set phase1-mode aggressive group1

        3. Finally, pair all of this with the interface you are specifying as the one that is setup to reach the other endpoint peer:

        crypto map outside2_map interface outside2

        You can see that you applied your crypto map to the outside interface 'outside2', which from your post is the correct interface:

        SDSL : outside2 - 129.1.1.1 (This is a public IP)

        Does this all make sense now?
        Last edited by spickles; 13th January 2010, 04:23.
        Scott Pickles
        Systems Engineer
        VPN Systems, Inc.
        www. vpnsystems. com
        *******************
        CCNA - CCDA - BCMSN

        Comment


        • #5
          Re: Route VPN tunnel through a specific line - ASA 5505

          Thanks again for the detailed explanation. It does make sense.

          The only thing that I don't understand is : from the 'outside2' interface (129.1.1.1), how will it know that the next hop is the SDSL router with IP 129.1.1.2.

          I suppose I have to add a route for this, but how do I set it up to make sure that it doesn't interfere with the default route (route outside 0.0.0.0 0.0.0.0 10.1.1.2) going to the ADSL router for regular internet traffic?

          Thanks.
          Last edited by daff42; 13th January 2010, 08:51.

          Comment


          • #6
            Re: Route VPN tunnel through a specific line - ASA 5505

            Your route governing this is almost correct. When you create your static route, it is in the following format:

            route <interface> <destination network/mask> <next hop> <administrative distance>

            So to create the route to your partner-network, you tell your ASA box what network you want to reach, what interface to go out, and to use the next-hop of 129.1.1.2 to get to the destination network:

            route outside2 <partner-network/16> 129.1.1.2 1

            You can still use AD of 0 for this if you want because routing operates on the longest match. So even though two routes with the same AD of 0 exist, the one route has a better match to the destination (specified as <destination/mask>) as opposed to the wildcard 'I have no idea where to go' route of last resort (all zeros). As for reaching the endpoint 129.1.1.2 since you're telling the ASA what physical interface to leave (outside2), you know that is part of the 129.x.x.x network. I don't know what the actual subnet is, but let's assume it's a small one (say 129.1.1.0 /29). Since the IP address of the outside2 interface is 129.1.1.1, it is on the same subnet as 129.1.1.2. Typically we make these point-to-point links (/30) where there are only two addresses available for endpoints/clients, and you essentially have a 'nailed up' connection to the other endpoint. But with ISPs, you generally get a bit more room depending on the class of service you purchased. With the static route information, we've got the layer 3 IP addresses for our packet, but we can't send it until we have the layer 2 information. The ASA obviously knows what its own 'outside2' MAC address is. Therefore, the ASA will broadcast on the subnet (using ARP - Address Resolution Protocol) for the owner of 129.1.1.2. The ASA will say 'Who has 129.1.1.2?' Since it is a broadcast, all end stations will hear this. The station that actually has that IP address will respond with 'Tell <ASA MAC>' and the packet will contain its MAC address. With this information completed, the ASA can now forward packets using unicast (as opposed to broadcast) to the owner of 129.1.1.2 (probably a subinterface on the ISP router).

            Hope that fills in the missing piece for you.
            Last edited by spickles; 13th January 2010, 18:04.
            Scott Pickles
            Systems Engineer
            VPN Systems, Inc.
            www. vpnsystems. com
            *******************
            CCNA - CCDA - BCMSN

            Comment


            • #7
              Re: Route VPN tunnel through a specific line - ASA 5505

              Just to clarify something on the static route. After a bit of thought, you may not be able to set a static route to 0 because that's often reserved for directly connected interfaces. I don't have access to my ASA right now to verify, but that is what makes sense to me.
              Scott Pickles
              Systems Engineer
              VPN Systems, Inc.
              www. vpnsystems. com
              *******************
              CCNA - CCDA - BCMSN

              Comment


              • #8
                Re: Route VPN tunnel through a specific line - ASA 5505

                I finally had a chance to try this out.

                As advised, I changed the metric of the default route to 1, and added the route for vpn traffic to interface outside2, and it all worked beautifully :

                route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
                route outside2 183.67.41.4 255.255.255.255 129.1.1.2 1
                route outside2 <partner-network/16> 129.1.1.1 1

                FYI, I also tested routing the vpn traffic to the SDSL router and it also worked :

                route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
                route outside2 183.67.41.4 255.255.255.255 129.1.1.2 1
                route outside2 <partner-network/16> 129.1.1.2 1

                Oh, and I used the opportunity to change IKE to main, but I don't think that really had an impact.

                Thanks a a lot Spickles for your help.

                Comment


                • #9
                  Re: Route VPN tunnel through a specific line - ASA 5505

                  Glad to hear that worked for you! The change to main mode might not seem like much, but it should take a bit longer (few seconds). The reason for changing it is to improve security. When you use aggressive mode, there are only 3 exchanges but each exchange contains more sensitive information (in clear text). If those were intercepted, an eavesdropper would learn quite a bit about your organization. By sticking with main mode, it's 6 exchanges, takes longer, and less sensitive information is sent in clear text. There are some scenarios where aggressive mode is a requirement, but not for an IPSec remote or site-to-site.

                  Regards,
                  Scott
                  Scott Pickles
                  Systems Engineer
                  VPN Systems, Inc.
                  www. vpnsystems. com
                  *******************
                  CCNA - CCDA - BCMSN

                  Comment

                  Working...
                  X