Solved

Configure Router, ASA with PBR & Failover.  Cisco

Posted on 2010-09-12
10
1,874 Views
Last Modified: 2013-11-16
Hello,

I have a Cisco 2951 with two WAN connections (one DSL, one T1).  The 2951 is then connected to an ASA5510, which is then on the LAN.

My goal is to have Exchange traffic use the T1, while all other traffic use the DSL.  But also, have it failover if one line should ever go down (either way).  And lastly, setup VPN through the ASA.

The "code" section is a pseudo running-config of the 2951 and the 5510.  Does it look correct as far as the PBR (policy based routing) is concerned?  My thoughts are that if I tag all port 25,110 traffic and direct it out the T1, all other traffic that doesn't adhere to that ACL will go out default route.

If the pseudo config is correct, what about the failover portion?

DSL        T1

   1.1        2.1

    |          |

   1.2        2.2

    ------|------

        2900

          |

         ASA

          |

         LAN





DSL

IP: 1.1.1.2

GW: 1.1.1.1



T1

2.2.2.2

2.2.2.1



interface Ethernet0

 connected to DSL

 ip address 1.1.1.2 255.255.255.240

 half-duplex



interface Ethernet1

 description connected to T1

 ip address 2.2.2.2 255.255.255.248

 speed auto



interface FastEthernet0

 description connected to ASA

 ip address 10.0.0.1 255.255.255.0

 ip policy route-map EXCH

 speed auto



ip route 0.0.0.0 0.0.0.0 1.1.1.1



access-list 101 permit ip any any eq 25

access-list 101 permit ip any any eq 110

route-map EXCH permit 10

 match ip address 101

 set ip next-hop 2.2.2.1











Then on the ASA...

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.14 255.255.255.0

!

interface Vlan100

 nameif outside

 security-level 0

 ip address 10.0.0.2 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

Open in new window

0
Comment
Question by:devoleb
  • 6
  • 4
10 Comments
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33659406
Something like this should be a little bit more reliable for you:

Just note on the half-duplex on ethernet0, you might run into some performance issues if the other end of the link is hard-set, otherwise, if the other side is auto, you will be fine; just ensure both sides match for duplex and speed.

interface Ethernet0
 connected to DSL
 ip address 1.1.1.2 255.255.255.240
 half-duplex

interface Ethernet1
 description connected to T1
 ip address 2.2.2.2 255.255.255.248
 speed auto

interface FastEthernet0
 description connected to ASA
 ip address 10.0.0.1 255.255.255.0
 ip policy route-map EXCH
 speed auto

access-list 101 permit ip any any eq 25
access-list 101 permit ip any any eq 110
access-list 102 permit ip any any

route-map EXCH permit 10
 match ip address 101
 set ip next-hop verify-availability 2.2.2.1 1 track 2

route-map EXCH permit 20
 match ip address 102
 set ip next-hop verify-availability 1.1.1.1 2 track 1


track 1 rtr 1 reachability
 delay down 15 up 10
!
track 2 rtr 2 reachability
 delay down 15 up 10

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.1 track 2

ip sla monitor 1
 type echo protocol ipIcmpEcho 1.1.1.1 source-interface ethernet0
 timeout 1000
 threshold 40
 frequency 3

ip sla monitor 2
 type echo protocol ipIcmpEcho 2.2.2.1 source-interface ethernet1
 timeout 1000
 threshold 40
 frequency 3

ip sla monitor schedule 1 life forever start-time now
ip sla monitor schedule 2 life forever start-time now

ASA config looks ok; as far as the VPNs are concerned, you will need to ensure that you allow
protocols 50 and 51, UDP port 500 and 4500 through the 2951 for VPN passthru.

Question, are you planning to use NAT on the 2951, if not, you should reconsider.

Billy
0
 

Author Comment

by:devoleb
ID: 33668423
Wow!
Thanks so much, Billy!  Much appreciated!
While this is my solution, should I mark "Accept as Solution" if I have a couple questions, or should I start a different thread?

As far as NAT goes, yes, I'd like to NAT on the 2951, as I assume this is the easiest.  I assume:
ethernet0
 nat outside
ethernet1
 nat outside
fastethernet0
 nat inside

But not sure about the translations.


And allowing protocols 50,51, and ports on the router are done via separate access-list, correct?


Again, thank you much for your time!
0
 

Author Closing Comment

by:devoleb
ID: 33678314
Couple follow-up questions awaiting reply.
0
 

Author Comment

by:devoleb
ID: 33678548
Billy,

What I'm wanting to do is setup for all the subnet traffic for the two WAN's to be passed to the ASA.  The ASA will be directing all the traffic locally.  I'm not sure about the NAT setup for this...

Example config from ASA:
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.14 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
!
access-list incoming extended permit tcp any host 1.1.1.4 eq smtp
access-list incoming extended permit tcp any host 1.1.1.5 eq 80
access-list incoming extended permit tcp any host 2.2.2.2 eq smtp
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
static (inside,outside) tcp 1.1.1.4 25 192.168.1.5 25 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.5 http 192.168.1.44 http netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 25 192.168.1.5 25 netmask 255.255.255.255
access-group incoming in interface outside
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33678553
sorry for the delay, just got home.

here is the NAT config:

Inside to outside NAT:

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

route-map isp1 permit 10
match ip address 100
match interface Ethernet0


route-map isp2 permit 10
match ip address 100
match interface Ethernet1


ip nat inside source route-map isp1 interface Ethernet0 overload
ip nat inside source route-map isp2 interface Ethernet1 overload



If you plan to provide any static NAT from outside to inside (Outside to inside):



route-map isp1static permit 10
match interface Ethernet0


route-map isp2static permit 10
match interface Ethernet1

ip nat inside source static 10.0.0.100 173.180.90.20 route-map isp1static
ip nat inside source static 10.0.0.101 24.80.65.1 route-map isp2static


>And allowing protocols 50,51, and ports on the router are done via separate access-list, correct?
that is correct, only if you add access-lists on the incoming of the WAN connections. Since you have an ASA protecting the network, you could essentially just add ACLs on the 2951 to protect access to the device and just allow any any as the ASA could provide the stateful packet inspection in addition to the VPN terminations. Also note, that you will not have to NAT on the ASA as you are already natting on the 2951. Just route traffic through the ASA with no NAT (No sense double natting).

Billy
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 24

Expert Comment

by:rfc1180
ID: 33678631
missed your post!

as my last posted stated, you really do not want to double NAT, this will only cause you headache down the road.

You can leave the the ACLs on the ASA

You will need a static route on the 2951 for the 192 network:

ip route 192.168.1.0 255.255.255.0 10.0.0.2

Move your nat and static nat staments to the 2951, I gave you some examples, here is another ACL for the 192 network:

access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1 0.0.0.255 any

the static nats:

ip nat inside source static tcp 192.168.1.5 25 1.1.1.4 25 route-map isp1static
ip nat inside source static tcp 192.168.1.44 80 1.1.1.5 80 route-map isp1static
ip nat inside source static tcp 192.168.1.5 25 2.2.2.2 25 route-map isp2static

I did a lot of copy and paste so there might be some mistakes, so forgive if there are any. You can always comment back if there are any difficulties.

Billy


0
 

Author Comment

by:devoleb
ID: 33678668
Thanks for all your help so far!

Yes, this is helpful, but I must admit that I'm more comfortable with the ASA static statements and ACL's.  By doing it all on the 2951, am I really just negating the use of the ASA?

I can see what you've done with the static nats on the 2951, but I'm just use to the ASA IOS.

I'll have to go through the new (to me) syntax

Incredibly helpful though.  I'll have combine all these suggestions to one config!  :-)
Thanks again for all your time!
0
 

Author Comment

by:devoleb
ID: 33688197
Hello,

So I started doing a rough config on the actual router and ran into some syntax problems.  

For one, the router doesn't support the "track 1 rtr 1 reachability" command.  There is no "rtr" option.  There is only "int,ip,list,stub-object".  

And... "ip sla monitor", there is no "monitor" option.  Only "key-chain,responder".

You would think I have an old IOS, but "sh ver":
ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)
System image file is "flash0:c2951-universalk9-mz.SPA.150-1.M3.bin"


And also some clarification on the NAT'ing thing.  It seems like you're suggesting that I do the static NAT'ing on the router side (ip nat inside source static tcp 192...); isn't this basically negating the use of the ASA?  I'm just wondering if there's a way to pass the outside traffic to the ASA and let the ASA do, at least, the static's and the ACL's...

lol, should I create a new post?

Thanks for any help.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33688313
>It seems like you're suggesting that I do the static NAT'ing on the router side
yeah, this is the only way to get it to work; it is where your public IP address terminate. Your setup is a complex setup that requires NAT at the router. This is the only way to do what you want to do (At least the only way that I can think of).

As far as the ip sla, the commands are different from version to version.

http://www.cisco.com/en/US/docs/ios/ipsla/command/reference/sla_cr_book.pdf

for ip sla monitor, I think you want ip sla 1

for track, I believe it will be something like

track ip sla

it is all in the link I listed above. Sorry I did not ask the version of the software prior posting the configs. Maybe you can figure out how to convert it to the new commands, if not, let me know and I can provide the correct commands.

Billy
0
 

Author Comment

by:devoleb
ID: 33688547
Okay, thanks again!  I ended up having to install some trial license for a data package to get the SLA to work.  I guess that's something else we'll have to purchase.

I've attached what I have so far.  How does it look?  Plug in and go?  ;-)

I haven't done the VPN stuff yet.  And with this setup, am I correct in that the ASA is going to be a *very* basic setup?  No NAT, no ACL's, no Statics?  Just "outside" ip 10.0.0.2 and "inside" 192.168.1.14.
run-draft.txt
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Access shared drive during VPN session 9 65
cisco 800 newbe 4 51
PCAnywhere 2 58
How to setup PLEX PLUS on 2 computers 2 15
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now