Lan extension with two ASAs

Posted on 2013-01-10
Last Modified: 2013-02-05
Hi Experts,

Just looking for some design guidance - Here is the scenario I have:

I have two sites - A and B - each site has it's own subnet, dhcp, dns, etc.
In each site I have one vlan for voice and one vlan for data.
Sites A and B are connected together via VPN L2L.
Site A has a pair of Cisco ASA 5510 running 8.2(5) in active/standby mode
Site B has a pair of Cisco ASA 5505 running 8.2(5) in active/standby mode

There is an access list in place defining the traffic.
1 - Voice can talk to Voice across the link
2 - Data can talk to Data across the link
3 - Certain IPs on Data can access Certain IPs on the voice accross the link and vice versa.

Each site has their own internet connection - these are the same connections the VPN travels through.

Site A looks a bit like this.

PC connects to the distribution switches - Default gateway for the network is a pair of 3560G running HRSP. This switch routes between the local voice and data vlan - This switch has a gateway of last resort that is the cisco ASA 5510.

PC------ 3560G Gateway ----- ASA 5510 Gateway ----- Internet

Site B looks a bit like this - Same idea as above

PCs connects to the distribution switches - Default gateway for the network is ONE HP ProCurve J9089A Switch 2610-48-PWR (this is a layer 3 device) - this switch does routing between voice and data local vlans - this switch has a gateway of last resort that is the Cisco ASA 5505.

Gateway switch and Cisco ASA (in both sites) have the same ip subnet meaning the connection between gateway and asa is a layer 2 connection.

So the challenge starts now, and it is more of a design challenge than anything else

I recently acquired a Lan Extension between these two sites. The purpose of this lan extension is to substitute the VPN L2L between sites. This lan extension is 100Mbps full duplex.

My ideal scenario was to replace the VPN L2L by connecting the two endpoints of the lan extension via spare ports i have on both ASA devices (Site A and Site B). This would help me leverage my knowledge of the Cisco ASA platform in creating and managing access lists.

One of the challenges i face is due to the fact that i am not able to QoS the traffic and i would have to hope that 100mpbs would be enough. Just for your knowledge Site B voice mail application is on Site A and there are some extension to extension calls going on. On a 10mbps link ( slowest link between the two sites) i have never had problems with these calls or the calls to voice mail.

Ideally for the future i would like to establish some internet redundancy between the two sites: If site A looses internet, please route through site B's internet connection - and vice versa. However this is not my immediate goal.

1 - What do you think about my idea ?
2 - Do you see any challenges with this ?
3 - If i tackle the job of only replacing the vpn l2l with the lanX - do you think i would have problems failing over the internet between sites in the future ?

Much appreciated.
Question by:ifred
  • 2
LVL 20

Expert Comment

ID: 38764337
I can't speak to the HP's ability to do ACL's, but I know the 3560 can do ACL's. If you are ok with some simple ACL's to control traffic going between Data/Voice at the sites, you should be able to control this on the L3 switches. From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's. The ASA's can advertise the default routes and any client VPN subnets, and the switches will exchange their locally configured subnets. The ASA's will need to be configured with route tracking or they will never remove the default route from advertisements. Also, the NAT on the ASA's will need to include the additional subnets for outbound internet traffic.

In the above scenario you will have direct site-to-site connectivity, site-to-site vpn backup, and internet backup assuming that both the internet and LAN extension aren't down at the same time.

Author Comment

ID: 38764584
Hi Rauenpc,

Thank you for taking the time to post your suggestion, here are my thoughts:

First - just a reminder that likely i would have to do this in stages, meaning first substitute the functionality of the L2L VPN with the Lanx. Later in time (could be months) achieve the internet redundancy.

Sounds like what you are suggesting is to have the layer 3 devices perform the routing. I understand this is doable however you talk about interactions with the the ASA from these layer 3 switches.

From there, create one additional vlan on the L3 switches for the purposes of routing. Configure OSPF on all devices - L3 switches and ASA's.

I would think that unless you are addressing the whole ideal scenario i would like to have in the end (routing, failover, etc), for using the layer 3 devices, i would probably be better to have these layer 3 devices directly connected to each other bypassing the firewalls entirely. Straight lanx with a /29 between the devices. Default route points to the ASA, specific routes point to the gateway accross the wan (/29).

So my point was really to not touch the current gateway devices as they will send all routes unknown to them to the ASA, which in return, would know how to handle the traffic over the interface where the LANX is connected too.

I envisioned these interfaces in both ASAS across the wan to have a /29 but now thinking about it, since both sites have pairs of ASAs i would need something like a /28 at least.

What do you think ?
LVL 20

Accepted Solution

rauenpc earned 500 total points
ID: 38764970
If you want to do this in stages, then start with just running OSPF or do static routing on the L3 switches. Each will still have a static default route to the local ASA for internet traffic.

You are correct with the direct connection, and that's what I was trying to describe.

 I would leave the ASA's out of the LANX since it is a private connection and shouldn't need the security of an ASA, and only use them for internet and vpn failover in the future. This means you will only require a /30 for routing, but it will be up to you to look forward to predict if you will have any additional sites on the LANX. It might not be a bad idea to just make a /24 and just have the two devices in it. I know it seems like overkill for the time being, but you probably won't ever need to worry about adding additional devices to the mix such as additional sites, and since you're only using a handful of subnets as it is you won't be risking running out of addresses.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco USB console Windows 8.1 unable to open serial port 4 75
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 55
Password recovery 2960S 4 32
Port forwarding on ubuntu 8 23
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question