Solved

EZVPN on ASA scenarios- routing question

Posted on 2014-01-28
5
772 Views
Last Modified: 2014-03-24
We have two main locations, Dallas and Phoenix.   Both have Cisco ASA 5555 firewalls for VPN termination.  We have multiple VPN remote locations with ASA 5510 or ASA 5505 firewalls.  Most are using site to site tunnels to both Dallas and Phoenix.  Dallas is HQ. Phoenix is the DR.   Dallas has 10.10.0.0 subnet.  Phoenix has 10.20.0.0 subnet.  Both sit on MPLS cloud with 100 or so  remote sites on MPLS behind them via BGP
The EZVPN part is pretty easy as far as primary and backup servers. Is there a way to do it so that if a remote VPN site fails over to the back up  (IE Dallas to Phoenix) that we can then start to advertise the route out to the MPLS cloud properly?

This may be more of an ASA firewall routing question.

thanks
0
Comment
Question by:davidecooper1967
  • 3
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39818082
based from what i understood, i've created the following diagram:
DC-DR VPN
one solution is to have floating static routes
     
from remote VPN site perspective, one static route points to Dallas, lower AD static route points to Phoenix
     
static routes installed shall be controlled by IP SLA. IP SLA will detect loss/intermitent/latent path to Dallas/Phoenix, and decides which static route to install in the FW route table
from the perspective of the Dallas/Phoenix FW, it does reverse-route injection. what RRI does is that it injects static routes on the firewall for the remote VPN peer subnet when tunnel is up. In case where both VPN tunnels are up, both Dallas and Phoenix will have it's own static route towards the remote VPN site. These static routes can then be redistributed to the MPLS cloud, with one site having lower metric/preference than the other site.

another solution is to run dynamic routing between the DC/DR FWs and the remote site VPN. This can be done by passing the routing protocol over a GRE tunnel. In this case, we need to setup GRE over IPsec VPN tunnel between DC/DR and remote VPN site. Routing protocols does not pass through normal IPSec tunnel, but it can be run through GRE tunnels. GRE tunnels are less secure than IPSec Tunnels, hence, the GRE Tunnel is encalsulated inside an IPSec VPN tunnel

let me know which solution you prefer, and which items you need to clarify and focus on first. let me know if you need to clarify or correct some items discussed above.

hope this helps!
0
 
LVL 1

Author Comment

by:davidecooper1967
ID: 39818254
Excellent ideas!
I like the reverse route inject option. I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
I would assume I would need to run routing between the firewall and the MPLS routers at each site then. Then the firewall would  inject the routes into the routing table correct? Simple redistribute static?


PS.  What did you use to create the image?  Visio or something else?
regards

DC
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39818310
i used visio

I would assume I would need to run routing between the firewall and the MPLS routers at each site then.
yes (can be FW and core switch of the DC, not necessarily the MPLS router)
and yes, simple static route redistribution to dynamic between DC/DR FW- core/WAN router. take note that the FW-core routing protocol does not necessarily need to be part of the MPLS routing, it can be just between the FW and core and redistribution can be done between them.

I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
if MPLS is lost on Denver for example, remember Phoenix is also sending route to the remote VPN site (but with less metric). Hence, remote MPLS sites would converge to use Phoenix going towards the remote VPN site. However, loss of MPLS on Denver side is not detected from the remote VPN site, hence, we need to include the Denver MPLS side on the IP SLA configured on the remote VPN FW. So basically on the remote VPN FW, you need to setup IP SLA to "track" both the Denver public IP, and MPLS router IP (inside or far end: remote MPLS site). Depends on how much automatic convergence you may need.

hope this is helpful, let me know if you need anything else.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39818438
one thing though, I overlooked, will your remote site be using Easy VPN setup? any restrictions why it needs to be Easy VPN? (one thing I can think of is that the public IP is dyanmic on the remote VPN site.

can you confirm? i believe RRI (reverse route injection) still works for easy VPN, but let me look into integrating IP SLA on easy VPN. As far as I know in easy VPN you can specify primary/secondary VPN server (head-end - DC/DR), and failover occurs when public IP of DC is unreachable. This takes care of redundancy between DC/DR and remote VPN site but does not address loss of the MPLS side.
0
 
LVL 1

Author Comment

by:davidecooper1967
ID: 39818501
Correct.  We want to be able to use EZVPN at all the remotes sites and get away from site to site dedicated tunnels. We want to run Overlay Transport Virtualiztion at the DR so that if the HQ side fails or we have to move it due for an emergency we basically move the servers subnets to the DR with no addressing changes.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now