Announcement

Collapse
No announcement yet.

Adtran and Cisco Network help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adtran and Cisco Network help

    Hello all,

    Currently our 5 site network (setup by someone who we no longer do business with) was configured this way...

    Corp Office - Netvanta 7100 (VOIP, VPN, Switch)

    Each of the 5 remote offices - Cisco ASA 5505

    Each remote location has a VPN back to the Corp Office which carries the VOIP and Network traffic. Problem....our T1 at the corp office doesn't have enough bandwidth and the netvanta is maxed out on VPN tunnels.

    We ordered another internet connection with a static IP to try to alleviate the bandwidth issue, but i just can't get it to work. I'm starting over from scratch today. I have another ASA 5505 at the corporate office. Should I terminate my remote site VPNs onto it and then setup another VPN between the asa and the netvanta?

    HELP

  • #2
    Re: Adtran and Cisco Network help

    What doesn't work? Post a detailed diagram please
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Adtran and Cisco Network help

      at the corp office, the internet connection is bogged down with all of the VPN/voice traffic i assume. that's the main issue. and we plan to add more remote locations and have run out of VPNs available on the netvanta.

      Comment


      • #4
        Re: Adtran and Cisco Network help

        Running voice over vpn is great for "remote" sites or telecomuter's but the overhead of the vpn encapsulation is huge. Not much you can do until you get more bandwidth at the corp location. IMO i would dump the T1 and go for a metro ethernet solution or better yet an MPLS solution for not only corp but all the remotes as well. This way you have a dedicated circuit between your remotes and the corp location for your voice and local network traffic. T-1's don't scale well and these days MPLS is cheaper if its available. T-1's also need dedicated hardware (CSU/DSU) where as MPLS is usually an ethernet handoff to the customer. MPLS bandwidth can also be upgraded on the fly and therefore scales well as your company grows.

        As far as maxed vpn's on the adtron, again nothing much you can do except upgrade it if it gives you more tunnels or replace it. I would think about an ASA 5520 as the 5505 is a great device but your pushing its limits if you continue to add more remotes. You can't get rid of the adtran as it terminates your T-1 and the ASA doesn't support a T1 CSU/DSU so your only option is either to replace it with a router and terminate the T-1 on that or stick an ASA behind it for vpn termination.

        In reality with the proper planning this should never have happened. You should have known that this was going to be an issue to begin with and then taken steps to solve it. I know this doesn't help you now but planning is just as important as implementation.

        In the meantime what I would do is stop all unnecessary traffic over the vpn. Just voice rtp stream and control traffic and anything related. Would not send any web traffic over the vpn as that could be routed out the remote's internet connection towards the ISP.
        Last edited by auglan; 2nd March 2013, 15:17.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Adtran and Cisco Network help

          I have inherited this mess. not my design. The remote sites at most have two phones and 3 computers. So in your opinion there is no way to make the cable connection work in the mean time?
          Last edited by HubTech; 2nd March 2013, 15:21.

          Comment


          • #6
            Re: Adtran and Cisco Network help

            Understood but you own it now. Its not a bad design but like I said its not scalable at all. I would get with your management and explain the situation and take steps to remedy it. Vpn's is a short term solution or a backup/failover solution. MPLS however is a long term that scales.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Adtran and Cisco Network help

              Originally posted by auglan View Post
              Running voice over vpn is great for "remote" sites or telecomuter's but the overhead of the vpn encapsulation is huge. Not much you can do until you get more bandwidth at the corp location. IMO i would dump the T1 and go for a metro ethernet solution or better yet an MPLS solution for not only corp but all the remotes as well. This way you have a dedicated circuit between your remotes and the corp location for your voice and local network traffic. T-1's don't scale well and these days MPLS is cheaper if its available. T-1's also need dedicated hardware (CSU/DSU) where as MPLS is usually an ethernet handoff to the customer. MPLS bandwidth can also be upgraded on the fly and therefore scales well as your company grows.

              As far as maxed vpn's on the adtron, again nothing much you can do except upgrade it if it gives you more tunnels or replace it. I would think about an ASA 5520 as the 5505 is a great device but your pushing its limits if you continue to add more remotes. You can't get rid of the adtran as it terminates your T-1 and the ASA doesn't support a T1 CSU/DSU so your only option is either to replace it with a router and terminate the T-1 on that or stick an ASA behind it for vpn termination.

              In reality with the proper planning this should never have happened. You should have known that this was going to be an issue to begin with and then taken steps to solve it. I know this doesn't help you now but planning is just as important as implementation.

              In the meantime what I would do is stop all unnecessary traffic over the vpn. Just voice rtp stream and control traffic and anything related. Would not send any web traffic over the vpn as that could be routed out the remote's internet connection towards the ISP.
              how do i separate the traffic?

              Comment


              • #8
                Re: Adtran and Cisco Network help

                Your crypto ACL's determine what is encrypted and sent over the tunnel. Normally if the remote site has its own internet connection then you wouldn't want to send web traffic over the vpn. Exceptions to this would be if you have a web filter configured at the corp location so all web traffic can be monitored and filtered etc.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Adtran and Cisco Network help

                  Originally posted by auglan View Post
                  Your crypto ACL's determine what is encrypted and sent over the tunnel. Normally if the remote site has its own internet connection then you wouldn't want to send web traffic over the vpn. Exceptions to this would be if you have a web filter configured at the corp location so all web traffic can be monitored and filtered etc.
                  no filtering. if i show you results from show run crypto ipsec could you tell me if all traffic is currently being routed through the vpn?

                  Comment


                  • #10
                    Re: Adtran and Cisco Network help

                    Yeah just post a sanitized config, and I will take a look.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Adtran and Cisco Network help

                      This is the config from one of the remote sites. This is the only one using DSL. the rest are on cable connections. Several of my sites are in rural areas, and i dont think we'd have access to MPLS.

                      Code:
                      : Saved
                      :
                      ASA Version 8.2(5) 
                      
                      hostname BH-Picayune
                      enable password 8Ry2YjIyt7RRXU24 encrypted
                      passwd 2KFQnbNIdI.2KYOU encrypted
                      names
                      name 192.168.1.0 magee
                      name x.x.x.194 Adtran
                      
                      interface Ethernet0/0
                       switchport access vlan 2
                      
                      interface Ethernet0/1
                      
                      interface Ethernet0/2
                      
                      interface Ethernet0/3
                      
                      interface Ethernet0/4
                      
                      interface Ethernet0/5
                      
                      interface Ethernet0/6
                      
                      interface Ethernet0/7
                      
                      interface Vlan1
                       nameif inside
                       security-level 100
                       ip address 192.168.40.1 255.255.255.0 
                      
                      interface Vlan2
                       nameif outside
                       security-level 0
                       pppoe client vpdn group ATT
                       ip address pppoe setroute 
                      
                      ftp mode passive
                      object-group protocol TCPUDP
                       protocol-object udp
                       protocol-object tcp
                      access-list outside_1_cryptomap extended permit ip 192.168.40.0 255.255.255.0 magee 255.255.255.0 
                      access-list outside_1_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host Adtran 
                      access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 magee 255.255.255.0 
                      access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host Adtran 
                      access-list outside_access_in extended permit ip host Adtran interface outside 
                      access-list outside_access_in extended permit ip host magee interface outside 
                      access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 magee 255.255.255.0 
                      pager lines 24
                      logging enable
                      logging asdm informational
                      mtu inside 1500
                      mtu outside 1500
                      icmp unreachable rate-limit 1 burst-size 1
                      asdm image disk0:/asdm-645.bin
                      no asdm history enable
                      arp timeout 14400
                      global (outside) 1 interface
                      nat (inside) 0 access-list inside_nat0_outbound
                      nat (inside) 1 0.0.0.0 0.0.0.0
                      route outside 0.0.0.0 0.0.0.0 x.x.x.233 1
                      timeout xlate 3:00:00
                      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                      timeout tcp-proxy-reassembly 0:01:00
                      timeout floating-conn 0:00:00
                      dynamic-access-policy-record DfltAccessPolicy
                      aaa authentication ssh console LOCAL 
                      aaa authentication http console LOCAL 
                      http server enable
                      http 192.168.40.0 255.255.255.0 inside
                      http 192.168.40.1 255.255.255.255 inside
                      no snmp-server location
                      no snmp-server contact
                      snmp-server enable traps snmp authentication linkup linkdown coldstart
                      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
                      crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
                      crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
                      crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
                      crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
                      crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
                      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
                      crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
                      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
                      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
                      crypto ipsec security-association lifetime seconds 28800
                      crypto ipsec security-association lifetime kilobytes 4608000
                      crypto map outside_map 1 match address outside_1_cryptomap
                      crypto map outside_map 1 set peer Adtran 
                      crypto map outside_map 1 set transform-set ESP-3DES-MD5
                      crypto map outside_map 2 match address outside_2_cryptomap
                      crypto map outside_map 2 set peer (ignore this was just a test) 
                      crypto map outside_map 2 set transform-set ESP-3DES-MD5
                      crypto map outside_map interface outside
                      crypto isakmp enable outside
                      crypto isakmp policy 10
                       authentication pre-share
                       encryption 3des
                       hash md5
                       group 1
                       lifetime 86400
                      crypto isakmp policy 30
                       authentication pre-share
                       encryption 3des
                       hash sha
                       group 2
                       lifetime 86400
                      telnet timeout 5
                      ssh 192.168.40.0 255.255.255.0 inside
                      ssh timeout 5
                      console timeout 0
                      vpdn group ATT request dialout pppoe
                      vpdn group ATT localname [email protected]
                      vpdn group ATT ppp authentication pap
                      vpdn username [email protected] password ***** 
                      dhcpd dns x.x.x.1
                      
                      dhcpd address 192.168.40.5-192.168.40.36 inside
                      dhcpd option 157 ascii tftpservers=0.0.0.0,Ftpservers=x.x.x.194:/Adtran,Ftplogin=polycomftp,ftppassword=password,layer2tagging=false,vlanid=0 interface inside
                      dhcpd enable inside
                      
                      
                      threat-detection basic-threat
                      threat-detection statistics access-list
                      no threat-detection statistics tcp-intercept
                      webvpn
                      username kyle password 7BARyhEw4fJ9YnRu encrypted privilege 15
                      tunnel-group x.x.x.194 type ipsec-l2l
                      tunnel-group x.x.x.194 ipsec-attributes
                       pre-shared-key *****
                      tunnel-group (ignore this was just a test) type ipsec-l2l
                      tunnel-group (ignore this was just a test) ipsec-attributes
                       pre-shared-key *****
                      
                      class-map inspection_default
                       match default-inspection-traffic
                      
                      
                      policy-map type inspect dns preset_dns_map
                       parameters
                        message-length maximum client auto
                        message-length maximum 512
                      policy-map global_policy
                       class inspection_default
                        inspect dns preset_dns_map 
                        inspect ftp 
                        inspect ip-options 
                        inspect netbios 
                        inspect rsh 
                        inspect rtsp 
                        inspect skinny  
                        inspect esmtp 
                        inspect sqlnet 
                        inspect sunrpc 
                        inspect tftp 
                        inspect xdmcp 
                        inspect h323 h225 
                        inspect h323 ras 
                        inspect icmp 
                      
                      service-policy global_policy global
                      prompt hostname context 
                      no call-home reporting anonymous
                      call-home
                       profile CiscoTAC-1
                        no active
                        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
                        destination address email [email protected]
                        destination transport-method http
                        subscribe-to-alert-group diagnostic
                        subscribe-to-alert-group environment
                        subscribe-to-alert-group inventory periodic monthly
                        subscribe-to-alert-group configuration periodic monthly
                        subscribe-to-alert-group telemetry periodic daily
                      Cryptochecksum:2d9b2c99fd0021aa1070d2bf90332f70
                      : end

                      Comment


                      • #12
                        Re: Adtran and Cisco Network help

                        access-list outside_1_cryptomap extended permit ip 192.168.40.0 255.255.255.0 magee 255.255.255.0
                        access-list outside_1_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host Adtran

                        That's your crypto acl. So anything from 192.168.40.0/24 to magee or Adtran is what is encrypted and sent over the tunnel. So you already have a split tunnel setup so all other traffic should be directed to your ISP and out.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: Adtran and Cisco Network help

                          Would doing the following free up some bandwidth for the time being til I can research/pursue a better option? Let me get you a little diagram of my network.

                          FYI The Netvanta 7100 is an "all in one" device. Phone system, LAN Switch, VPN

                          Corp Office (192.168.1.0)
                          T1 Adtran 908e --(ethernet)>Netvanta 7100-->LAN Devices

                          Remote Sites192.168.10-50.0)
                          DSL, Cable, Partial T1 > ASA 5505 > LAN Devices

                          All Remote Sites VPN back into the Netvanta.


                          __________



                          I now have two Connections at my corp office. a 12/1.5 Mb Cable connection and a 1.5/1.5 T1. I also have an unlimited user 5505 that isn't being utilized.

                          Could I not move all of the VPNs off of the Netvanta to the ASA? Put the asa on the LAN with the Netvanta and free up some bandwith for the local users at the corp site? (just 5 PC/phones).

                          Comment


                          • #14
                            Re: Adtran and Cisco Network help

                            Yeah that should work.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              Re: Adtran and Cisco Network help

                              now for the fun part thanks so much for your help. i may hop back on if I have some routing issues (and i'm pretty sure I will)

                              Comment

                              Working...
                              X