Link to home
Start Free TrialLog in
Avatar of JamesSeddon
JamesSeddon

asked on

Cisco ASA 5525 - WAN with no default route

Hi everyone,

Description of setup: Cisco ASA 5510 with a leased line and PPPOE connections, multiple internal LAN segments. Leased Line has a static IP and manual default route, PPPOE gets IP and Route through DHCP.

Problem: Only one route is added into the routing table, as such we cannot route traffic over the PPPOE connection as the ASA will always follow the default route in the routing table.

Scenario: We are migrating from an old 2Mb/s Leased Line circuit to a 1Gb/s PPPOE circuit, during this process we will need to utilise both connections on the same firewall. This is to allow us to provide a seamless transition for our users and customers with minimal impact to business services. Our aim is to begin changing external services to point toward the new IP on the PPPOE circuit and change the NAT statements on our firewall accordingly. Eventually all services and users will be migrated over to PPPOE and the Leased Line will be removed. Unfortunately a cut-over migration is not feasible as we have hundreds of services that would need to be migrated simultaneously.

Ideal solution: To be able to send and receive traffic through both WAN connections at the same time

Any help is greatly appreciated, please see below the show version from our existing firewall (to be replaced with a 5525 after the migration):

Result of the command: "show ver"

Cisco Adaptive Security Appliance Software Version 8.2(2) 
Device Manager Version 6.3(1)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

 up 62 days 10 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00 
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 001a.2ffc.6652, irq 9
 1: Ext: Ethernet0/1         : address is 001a.2ffc.6653, irq 9
 2: Ext: Ethernet0/2         : address is 001a.2ffc.6654, irq 9
 3: Ext: Ethernet0/3         : address is 001a.2ffc.6655, irq 9
 4: Ext: Management0/0       : address is 001a.2ffc.6656, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited 
Maximum VLANs                  : 100       
Inside Hosts                   : Unlimited 
Failover                       : Active/Active
VPN-DES                        : Enabled   
VPN-3DES-AES                   : Enabled   
Security Contexts              : 2         
GTP/GPRS                       : Disabled  
SSL VPN Peers                  : 2         
Total VPN Peers                : 250       
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2         
Total UC Proxy Sessions        : 2         
Botnet Traffic Filter          : Disabled  

This platform has an ASA 5510 Security Plus license.

Serial Number: 
Running Activation Key: 
Configuration register is 0x1
Configuration last modified by  at 17:40:01.540 GMT/BDT Thu May 12 2016

Open in new window

Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Can you post a suitably sanitised "show run"
Avatar of JamesSeddon
JamesSeddon

ASKER

Hey Arne,

It would be much easier to work on the assumption of a factory default condition ASA. For this scenario this ASA would have two WAN connections, one (2Mb/s Leased Line) using a static IP and a manual default gateway and a second (1Gb/s PPPOE) getting an IP and gateway through DHCP. The internal interfaces all have allow any any against them and use a single dynamic NAT rule to PAT/NAT traffic to the 2Mb/s leased line.

If it's required I can mock up a config for this however it will be from an ASA 5525 in our lab environment. I'm hesitant to post a running-config from our existing firewall as there are hundreds of lines that would need editing/amending and it would more than likely make this more confusing.
You had mixed PPPoE and DHCP, which prompts me to see as much of the santised config as possible.

Thinking about this slightly differently, do you have a single address on the PPPoE circuit, or an address block ?

If you have an address block, then it might be simpler to terminate the PPPoE connection on a suitable router, and then you could use static routing on the ASA.

The Ubiquiti Edge Router Lite https://www.ubnt.com/edgemax/edgerouter-lite/ would be an inexpensive way of doing this, and if your PPPoE connection supports RFC4638, it could also provide you with a MTU of  1500 instead of the usual 1492 with PPPoE.

I am a little bemused by the idea of a 1G PPPoE connection, is the provider unable to just provide Ethernet instead ?
We do have an address block on the 1G connection but will not be making use of this until we swap everything over from the 5510 to a new 5525.

I don't see how terminating the PPPOE on an edge device would alleviate this issue, we would still require the public address space on the ASA to perform NAT and require a default route which can only be acquired through DHCP from the ISP (next hop is an internal device on their network).

We require this type of connection as this is the only one available from our ISP which provides a low contention high bandwidth interface with acceptable support SLA's.
Here's the short answer:

The easiest, most reliable and best thing to do is buy the 5525 now, configure it for the new connection.  When everything works, move your internal network to it and then modify the public DNS records to point to the new addresses.

Regardless of what you do, the most important thing is to manage expectations.  You absolutely can NOT say there will be no downtime, because there will be.  You can plan all you want, but this is a complex migration and something somewhere is going to not go the way you expected it to and you're going to have downtime.

So, manage expectations.  Make sure everyone knows how much you're planning, testing, etc.  Let everyone know downtime will be minimized, but tell them up front that there will most likely be downtime.  When they ask how long, tell them you have no way of knowing, but that you have backed up the current configuration so you can roll back at anytime and try again after you resolve whatever issue occurred.

If you're hell-bent on doing it the way you've described (or you're going to be forced to do it), I've done something similar but it was pretty wonky.  The customer was doing some major SEO and wanted different sites on their internal network to have IPs on different public network IDs.  I ended up having multiple "default" routes on the external interface and it worked.

However, when I called Cisco for an unrelated problem on that ASA, the guy looked at my config and said he had never seen anything like it before and couldn't believe that it worked.  He also said Cisco wouldn't support it.  LOL.

What do you think?
One more thing... before you do anything at all on the public IP addresses, go to your public DNS zone and change all the TTLs.  Those are probably set at one or three hours.  Change them to 5 minutes.  This way, when you make a change, internet DNS servers won't have your old info cached for more than 5 minutes.
I wasn't suggesting that the router terminating the PPPoE used NAT.

The router would use two of your addresses, one on the PPPoE interface, and one on the "inside" interface, creating if you were a DMZ between the router and the ASA. The rest of the address block casn then be used on the ASA. The router then is the gateway for the ASA, and you can set static routes as appropriate.
Hey Arne,

Would I be correct in assuming the ubiquity device is specifically designed to do this?
the Ubuiquiti routers are specifically designed as routers, and PPPoE is not an uncommon use for them, they can be used for significantly more than just PPPoE. I have several clients that baulked at the cost of a L3 switch and use them inside their networks for intra VLAN routing.

It seems that you are not alone in having gigabit PPPoE  https://community.ubnt.com/t5/EdgeMAX/pppoe-performance/m-p/1242441
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.