Cisco ASA 5510 configuration for Exchange 2010 DAG implementation

djhath
djhath used Ask the Experts™
on
environment / configuration diagram
I have (2) sites, (2) Cisco ASA 5510s both running 8.4.3, and am attempting to configure my environment for an Exchange 2010 DAG implementation.

I felt it might be easiest to describe what I'm attempting to do revolving around how I have the respective Ethernet interfaces on each ASA set-up:

Site 1:

Eth0: Outside (ISP 1) - X.X.X.X
Eth1: Inside (LAN) - 192.168.1.X
Eth2: DAG network - 10.0.1.X
Eth3: Outside(2) (ISP 2) - X.X.X.X

Site 2:

Eth0: Outside (ISP 1) - X.X.X.X
Eth1: Inside (LAN) - 192.168.2.X
Eth2: DAG network - 10.0.2.X
Eth3: Outside(2) (ISP 2) - X.X.X.X

Each site uses Eth0 as its primary internet and currently has a site-to-site VPN configured between offices.  What I would like to do is route all DAG traffic over a separate ISP (which would be Eth3 on both sites) and create a dedicated site-to-site VPN for this purpose with the separate ISPs.

Is this feasible, as in, can the ASAs be configured for this purpose?  I've got everything set-up to the point of simply needing to get both Eth3 interfaces talking to each other and getting a dedicated site-to-site VPN set-up for the DAG implementation.

If needed, I can post the config from each firewall.  

Thank you in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
As you are using ASA firewall please  disable Mailguard feature on firewall

Refer: http://support.microsoft.com/kb/320027
Network and Security consultant
Commented:
Hello
There is a simple short answer to this question: No.

The ASA firewall cannot do policy-based routing. That means that there is only one routing-table and you cannot do exeptions to this to for example send specific traffic in another direction than the routing table states (for example traffic from a specific inside host or specific protocols).

PBR exists in Cisco routers but infortunately not in the ASA firewall.

What you can do with multiple isp:s is to have multiple default routes but with different metrics. By sla tracking you can build redundancy so that if the primary ISP fails your outbound traffic will go thru your backup isp. But there are a lot of limitations for this, for example that it doesnt support inbound traffic to your primary-isp public ip:s. No matter what, it doesn´t solve your wish to send traffic from a specific system thru one isp and other traffic thru another isp.

Best regards
Kvistofta
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Though I'm not an exchange-expert ;) I see that DAG uses separate networks (and nics?).
If so, it should be possible to have those separate network tunneled through the second VPN. Because then you don't use PBR which, as my esteemed colleague Kvistofta stated, isn't possible. You just route the whole DAG network out the second VPN.
I'll need to have a closer look at DAG to see how the networking part works but if my guess is correct, there might be possibilities.
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Even if there is a VPN configured, still the ASA has one single routing table. In order to send traffic thru a VPN, there needs to be a route pointing the remote network out thru an outside interface (most commonly the default route).

The only solution I can see is to use a separate firewall for a separate DAG-server NIC and connect that to the specific ISP only.

Best regards
Kvistofta
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
@Kvistofta:

Would you need a route in this case? The traffic is 'directed' by means of the access lists in the crypto maps (and nat exempt) so it should be pushed out through the right VPN, shouldn't it?
I must admit I never tried this particular setup before, perhaps it's time to set up a lab for that :)
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
@erniebeek

In order for a specific packet (coming in thru the inside interface) to even hit the crypto map (and therefore be checked if it should be encrypted by looking in the crypto acls) the packet FIRST need to be routed by using the routing table. Remember, the crypto map is defined on the OUTBOUND interface.

An example:
Your ASA has a default route to the ISP next-hop 1.2.3.4.
Your ASA also have a route of 192.168.0.0/16 pointing to an INSIDE router.

Lets say that you configure a VPN-tunnel defining traffic from your local network 192.168.1.0/24 to the remote network 192.168.2.0/24. You create an crypto map, an crypto acl and everything else, and you tie the crypto map to the outside interface.

Will this work? No. Traffic coming into the firewall from inside, destined for the remote network 192.168.2.0 will never hit the crypto acl because the next-hop for this is an inside route, not the outside ISP.

Solution: Add a static route for 192.168.2.0/24 with next-hop of 1.2.3.4. OR add "set reverse-route" in the crypto map entry. It will have the same result.

Still, in this case, the question is to route traffic from a specific inside host to another next-hop than what is in the routing table (encrypted or not), and that is NOT supported.

Best regards
Kvistofta
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Found some interesting article, didn't have a chance to try this though: http://docwiki.cisco.com/wiki/Terminating_two_ISP's_on_ASA/PIX
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
@Kvistofta:

I see what you mean. But in this case there are two 'inside' interfaces (DAG and LAN) so no next hop router for a remote network or atleast this is how I interpret this.
I got a gut feeling there should be some way to get this working, I might be wrong though. Gut feelings and IT are never a good combination ;)
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
It doesnt matter how many inside interfaces there are. What matters is that you have 2 different ISP interfaces, and you cannot have a route for any foreign network out thru both those ISP interfaces.

However. What erniebeek posts is interresting. I have never tried to do somehting like PBR with NAT. It could be worth trying!

Best regards
Kvistofta

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial