EZVPN on ASA scenarios- routing question

Posted on 2014-01-28
Medium Priority
Last Modified: 2014-03-24
We have two main locations, Dallas and Phoenix.   Both have Cisco ASA 5555 firewalls for VPN termination.  We have multiple VPN remote locations with ASA 5510 or ASA 5505 firewalls.  Most are using site to site tunnels to both Dallas and Phoenix.  Dallas is HQ. Phoenix is the DR.   Dallas has subnet.  Phoenix has subnet.  Both sit on MPLS cloud with 100 or so  remote sites on MPLS behind them via BGP
The EZVPN part is pretty easy as far as primary and backup servers. Is there a way to do it so that if a remote VPN site fails over to the back up  (IE Dallas to Phoenix) that we can then start to advertise the route out to the MPLS cloud properly?

This may be more of an ASA firewall routing question.

Question by:davidecooper1967
  • 3
  • 2

Accepted Solution

ffleisma earned 2000 total points
ID: 39818082
based from what i understood, i've created the following diagram:
one solution is to have floating static routes
from remote VPN site perspective, one static route points to Dallas, lower AD static route points to Phoenix
static routes installed shall be controlled by IP SLA. IP SLA will detect loss/intermitent/latent path to Dallas/Phoenix, and decides which static route to install in the FW route table
from the perspective of the Dallas/Phoenix FW, it does reverse-route injection. what RRI does is that it injects static routes on the firewall for the remote VPN peer subnet when tunnel is up. In case where both VPN tunnels are up, both Dallas and Phoenix will have it's own static route towards the remote VPN site. These static routes can then be redistributed to the MPLS cloud, with one site having lower metric/preference than the other site.

another solution is to run dynamic routing between the DC/DR FWs and the remote site VPN. This can be done by passing the routing protocol over a GRE tunnel. In this case, we need to setup GRE over IPsec VPN tunnel between DC/DR and remote VPN site. Routing protocols does not pass through normal IPSec tunnel, but it can be run through GRE tunnels. GRE tunnels are less secure than IPSec Tunnels, hence, the GRE Tunnel is encalsulated inside an IPSec VPN tunnel

let me know which solution you prefer, and which items you need to clarify and focus on first. let me know if you need to clarify or correct some items discussed above.

hope this helps!

Author Comment

ID: 39818254
Excellent ideas!
I like the reverse route inject option. I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
I would assume I would need to run routing between the firewall and the MPLS routers at each site then. Then the firewall would  inject the routes into the routing table correct? Simple redistribute static?

PS.  What did you use to create the image?  Visio or something else?


Expert Comment

ID: 39818310
i used visio

I would assume I would need to run routing between the firewall and the MPLS routers at each site then.
yes (can be FW and core switch of the DC, not necessarily the MPLS router)
and yes, simple static route redistribution to dynamic between DC/DR FW- core/WAN router. take note that the FW-core routing protocol does not necessarily need to be part of the MPLS routing, it can be just between the FW and core and redistribution can be done between them.

I am looking at this as if we lose the Dallas internet connection but not the MPLS connection.
if MPLS is lost on Denver for example, remember Phoenix is also sending route to the remote VPN site (but with less metric). Hence, remote MPLS sites would converge to use Phoenix going towards the remote VPN site. However, loss of MPLS on Denver side is not detected from the remote VPN site, hence, we need to include the Denver MPLS side on the IP SLA configured on the remote VPN FW. So basically on the remote VPN FW, you need to setup IP SLA to "track" both the Denver public IP, and MPLS router IP (inside or far end: remote MPLS site). Depends on how much automatic convergence you may need.

hope this is helpful, let me know if you need anything else.

Expert Comment

ID: 39818438
one thing though, I overlooked, will your remote site be using Easy VPN setup? any restrictions why it needs to be Easy VPN? (one thing I can think of is that the public IP is dyanmic on the remote VPN site.

can you confirm? i believe RRI (reverse route injection) still works for easy VPN, but let me look into integrating IP SLA on easy VPN. As far as I know in easy VPN you can specify primary/secondary VPN server (head-end - DC/DR), and failover occurs when public IP of DC is unreachable. This takes care of redundancy between DC/DR and remote VPN site but does not address loss of the MPLS side.

Author Comment

ID: 39818501
Correct.  We want to be able to use EZVPN at all the remotes sites and get away from site to site dedicated tunnels. We want to run Overlay Transport Virtualiztion at the DR so that if the HQ side fails or we have to move it due for an emergency we basically move the servers subnets to the DR with no addressing changes.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Software-defined infrastructure is the buzz these days gaining a lot of importance. With software-defined infrastructure companies can be more agile and proficient. Nonetheless, a complete re-engineering of IT procedures is required to gain agility…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question