Migration from multiple iOS routers to ASAs with failover

Hello experts

We have an environment currently where we have a single internet connection coming into a switch and from that switch cables running to multiple iOS routers.  Each of these routers act as an IPSec VPN endpoint for a single customer to connect to.  A basic overview of this can be seen in the "current" image attached (please note the IP addresses are illustrative only - we are using different public IPs and they are subnetted correctly).

What we want to achieve is what is shown (again, in a basic form) in the 2nd image - "proposed".  

My question is - with multiple public IPs acting as VPN endpoints for customer VPNs - what is the easiest way to do this with an ASA?  Is the best plan to assign a public IP subnet to each individual port on the ASA? Or can I have the internet connection coming into 1 port on the ASA and then set up VLANs so that the traffic is kept apart and the VPN tunnels function correctly?  I have several years of iOS experience but only a little ASA so I just want to make sure I start off on the right foot.

We will almost certainly be deploying ASA 5512s.

Many thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin Van DitmarsSr Network EngineerCommented:
when youre going to use an asa. youre not able to connect vpn's to ip addres other then the interface ip.
this is realy no problem. you need to reconfigure every site 2 site vpn. and then youre up and running again.
Jan SpringerCommented:
You can configure the crypto map peer with all three IPs in the order that you want them to be used making sure to give each IP its own tunnel-group:

crypto map VPNmap 10 set peer

tunnel-group type ipsec-l2l
tunnel-group ipsec-attrributes
  ikev1 pre-share-key WinterWonderLand

etc for each IP
PlagusAuthor Commented:
Thanks for the responses so far.  Could I use multiple sub-interfaces on the 1 outside interface with the required different public IP addresses and have my separate crypto maps bound to the sub-interfaces?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jan SpringerCommented:
That depends.  Are all three IPs on the same subnet?

If so, they need to be bound to the same interface.  And, the ASAs do not support secondary IP addresses.  This means that if those three IPs are on the same subnet, then you may use one of them -- not all three.
PlagusAuthor Commented:
The IP address range we are allocated by our ISP is (this is representative, not our actual IPs): /25

We then subnet this for each customer environment: /29 /29 /29

So each environment is on its own, isolated, subnet.  Currently we have / / as the router public IP addresses and therefore the VPN endpoints.

Could I use the .162 / .178 / .194 addresses as IP addresses on 3 sub interfaces of the ASA's outside interface?
Jan SpringerCommented:
Yes, you can.

This sounds as if the physical connections are L2 terminated upstream from the ASA with single connection to your ASA.

If your provider is handing off three physical connections, I'd buy the license for >2 named interfaces and physically separate them as they're supposed to be.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlagusAuthor Commented:
Thanks Jan.

We do have only a single connection coming in at present.  This goes into a switch and then a separate cable to each router.  I want that single cable to go to the ASA and now you've confirmed what I thought re the sub interfaces I think that will work nicely.  Deployment is a month or 2 away, but the purpose of my question was to make sure I understood the path I needed to go down, which I do now.  Very many thanks,
Jan SpringerCommented:
You're welcome.

You will definitely need a license for >2 named interfaces.  One for each external customer interface, one for each internal customer interface, and one for any other interface(s) you may need.

ASA 5512s allow the subinterface configuring as follows:

interface g 0/0
  no ip address

int g 0/0.10
  ip address
int g 0/0.11
  ip address

etc. where the last number of the interface matches the vlan tagging you'll be using.
PlagusAuthor Commented:
Understood re the license for the interfaces - I'll make sure we organise that when we purchase the 5512s.  Thanks again!
PlagusAuthor Commented:

1 other question if you don't mind?

If I set up the sub interfaces on the outside port as I have described what do I use (a Vlan?) to get the traffic from the appropriate sub interface (outside) to the correct physical inside port that would go to the customer's server?

Jan SpringerCommented:
The device to which you are terminating the other end of the gateway for those hosts should be tagging the interface for the vlan.  What is the next hop layer 3 device?
PlagusAuthor Commented:
Next hop as in inside the network towards the server? A Catalyst switch will be there.
Jan SpringerCommented:
For example, what device has
PlagusAuthor Commented:
At present it is an 800 series router.  The plan is to remove that however.  The thinking at present would be to have:

Catalyst Switch
|                    |
|                    |
Server1         Server2  etc

But if this would not work then, given I am still in the planning for all of this, now is the time to find out!

I understand the subinterfacing on the outside port, I am just not totally clear on how we can keep the traffic flowing from each outside sub-interface (each being assigned a VLAN) to the inside interfaces (each in their own VLAN) and therefore into the servers.
Jan SpringerCommented:
Above the ASA.

If you terminate those subnets to vlans on the ASA, to what device is the other end connected?
PlagusAuthor Commented:
Above the ASA is our internet connection from our ISP.  Unfiltered, entirely open. Nothing more to it than that.

Basically this is how we have things currently:

Customer network----Public internet

Public Internet----- IOS router

An IPSec tunnel is configured between the customer network and the dedicated IOS router on our side.

We have 3 of these set up - 3 customer networks with internet connections, 3 dedicated IOS routers here, each on a configured public subnet (a /28) within our larger /25 subnet provided by our ISP. The IPSec tunnel comes in to the router and traffic flows from the WAN port of the router, through ACLs, to the server on the LAN side.
Jan SpringerCommented:
Okay.  So those subnets terminate on the Catalyst switch.  

If each of the IPs on the ASA is the subnet for the respective Vlans, on the Catalyst:

interface <to ASA>
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10-12

interface <to server on subnet 1>
  switchport mode access
  switchport access vlan 10

interface <to server on subnet 2>
  switchport mode access
  switchport access vlan 11

Is this what you're looking for?
PlagusAuthor Commented:
Ah - right, OK - it is becoming clearer now. Thanks (again!).

So - stop me if I am wrong.... I configure each sub-interface on the ASA's outside interface with the appropriate /28 subnet and an appropriate VLAN tag.  This would allow each customer's IPsec VPN to terminate at the ASA. All traffic then flows from the outside sub-interfaces to the inside interface of the ASA which then flows to the Catalyst. The Catalyst's reads the VLAN tagging from the sub-interfaces of the ASA and the ports are then configured as you have shown above and the traffic arrives at the correct server.

Have I got that right?
Jan SpringerCommented:
No.  And I think you're confusing me, as well :)

I originally thought you wanted these terminated on the outside interface and the remote end had the gateway for that subnet.

Then I understood that the subnets should go on the inside and terminate directly to the servers.

So, the question is:  using one subnet as an example, where exactly will the other IPs in that subnet be used?
PlagusAuthor Commented:
Ah heck, apologies for messing you about.

The answer to your question is that currently we NAT some of the public IPs within the subnet to a LAN IP address.

So - for example we currently have

Subnet: / - router - NATted to server - NATted to server - NATted to server
Jan SpringerCommented:
okay, so those vlan subnets will sit on the interface to which the catalyst is connected.

and then you have it correct!

g0/0 => to provider
g0/1 => to catalyst
g0/1.10 => vlan 10 for first subnet
g0/1.11 => vlan 11 for second subnet
PlagusAuthor Commented:
I am more grateful than I can say for you sticking with me on this.  Thank you!
Jan SpringerCommented:
You're welcome.  Holler if you run into a problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.