Cisco ASA Redundant or Backup ISP Links with VPNs

KB ID 0000544

Problem

This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.

Where we are at the start.

Where we want to be

 

Solution

Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.

Setup Backup ISP Links at the Main Site

1. Log into the firewall and setup the IP address on your backup interface.

[box]

PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.

[box]

Configure NAT for a firewall running an OS NEWER than 8.3

PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 
PetesASA(config-network-object)# nat (inside,backup) dynamic interface
Configure NAT for a firewall running an OS OLDER than 8.3

PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool

Configure the Routes

PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2

[/box]

3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.

[box]

PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#

[/box]

4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s

[box]

PetesASA(config)# static (inside,backup) tcp interface www 10.0.0.5 www netmask 255.255.255.255
PetesASA(config)# static (inside,backup) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
PetesASA(config)# access-list backup permit tcp any interface backup eq www
PetesASA(config)# access-list backup permit tcp any interface backup eq smtp PetesASA(config)# access-group backup in interface backup

[/box]

5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;

[box]

PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 123.123.123.124 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 123.123.123.0 255.255.255.240 is directly connected, outside
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
 PetesASA(config)#
 
 
Now Disconnect the Primary line
 
 PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 234.234.234.235 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
 PetesASA(config)#

[/box]

6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.

[box]

PetesASA(config)# crypto map outside_map interface backup
 PetesASA(config)# crypto isakmp enable backup

[/box]

7. Save the changes with a write mem command.

[box]

PetesASA(config)# wr mem
 Building configuration...
 Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
 
 10220 bytes copied in 3.740 secs (3406 bytes/sec)
 [OK]
 PetesASA(config)#

[/box]

Change the ASA at the Remote VPN Site

1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.

[box]

RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234

[/box]

2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

[/box]

3. Save the changes with a “write mem” command.

[box]

RemoteSite(config-tunnel-ipsec)#write mem
 Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
 
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#

[/box]

To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.

[box]

Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
 
Now Disconnect the Primary line at the Main site
 
Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

[/box]

Related Articles, References, Credits, or External Links

Original article written 12/12/11

ASA 5505 Determine Your License Version

KB ID 0000701

Problem

If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’.

ASA 5505 License Differences

Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support.

*Note: These figures are the concurrent total users, for internal clients making connections through the firewall, from the internal VLAN to the external VLAN (not between internal VLANS). If you have no default route defined then the limit is placed in ALL hosts on ALL VLANS.

From Cisco 

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

Solution

To locate your license version issue the following command whilst in enable mode. ‘sho ver or show version’.

code?

ASA 5505 10 User License

ASA5505 50 User License

ASA 5505 Unlimited License

ASA 5505 Security Plus License

Related Articles, References, Credits, or External Links

Find out your Cisco ASA version (Operating system and ASDM)

Cisco ASA 5500 – Adding Licenses

 

Cisco ASA 5505 Routing Between Two (Internal) VLANS

KB ID 0000869 

Problem

I had to set this up for a client this week, I’ve setup a DMZ on a 5505 before and I’ve setup other VLANs to do other jobs, e.g. visitor Internet access. But this client needed a secondary VLAN setting up for IP Phones. In addition I needed to route traffic between both the internal VLANs.

I did an internet search and tried to find some configs I could reverse engineer, the few I found were old (Pre version 8.3) ones and the little info I got were more people in forums asking why theirs did not work. So I built a firewall with 8.2 code, then worked out how to do it, then upgraded the firewall to version 9.1. Finally I picked out the relevant parts of the upgraded config.

Here’s the scenario I’m going to use for this example.

Solution

Before we start, yes I know the ASA is a firewall not a router! A better solution would be to have either a router behind the firewall or, (as is more common) a switch that is layer 3 capable, i.e it can route.

Your ASA MUST have a Security Plus licence to be able to do this. Check your license version.

The commands you use will be different if your firewall is running an operating system earlier than 8.3, check your ASA version and proceed to the correct set of commands.

For Firewalls running an Operating System OLDER than 8.3 go here

How to Setup VLAN Routing on an ASA 5505 (Version 8.3 and Newer)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1, because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through) and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

 Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112 

[/box]

6. Now setup ‘dynamic’ NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# object network obj_any
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (inside,outside) dynamic interface
Petes-ASA(config-network-object)# object network obj_any-01
Petes-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,outside) dynamic interface

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# object network obj-192.168.12.0
Petes-ASA(config-network-object)# subnet 192.168.12.0 255.255.255.0
Petes-ASA(config-network-object)# nat (inside,PHONE_VLAN_112) static 192.168.112.0
Petes-ASA(config-network-object)# object network obj-192.168.112.0
Petes-ASA(config-network-object)# subnet 192.168.112.0 255.255.255.0
Petes-ASA(config-network-object)# nat (PHONE_VLAN_112,inside) static 192.168.112.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
!
object network obj-192.168.12.0
subnet 192.168.12.0 255.255.255.0
nat (inside,PHONE_VLAN_112) static 192.168.112.0
object network obj-192.168.112.0
subnet 192.168.112.0 255.255.255.0
nat (PHONE_VLAN_112,inside) static 192.168.112.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112,outside) dynamic interface
!
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

 

How to Setup VLAN Routing on an ASA 5505 (Pre Version 8.3)

1. Connect to the firewall, go to enable mode, then go to configure terminal mode.

[box]


User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. 2. As in the diagram (above) I have three VLANs, VLAN 0 is outside and will be connected to Ethernet 0/0. VLAN 1 is inside and will be connected to Ethernet 0/1. VLAN 112 is for my phones and will be connected to Ethernet 0/2. Here I setup the IP addresses, and add the VLANs to the physical interfaces.

Note: I don’t need to Add VLAN 1 to Ethernet 0/1 because all ports are in VLAN 1 by default.

[box]

Petes-ASA(config)# interface Ethernet0/0
Petes-ASA(config-if)# switchport access vlan 2
Petes-ASA(config-if)# interface Ethernet0/2
Petes-ASA(config-if)# switchport access vlan 112
Petes-ASA(config-if)# interface Vlan1
Petes-ASA(config-if)# nameif inside
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.12.254 255.255.255.0 
Petes-ASA(config-if)# interface Vlan2
Petes-ASA(config-if)# nameif outside
Petes-ASA(config-if)# security-level 0
Petes-ASA(config-if)# ip address 123.123.123.123 255.255.255.248 
Petes-ASA(config-if)# interface Vlan112
Petes-ASA(config-if)# nameif PHONE_VLAN_112
Petes-ASA(config-if)# security-level 100
Petes-ASA(config-if)# ip address 192.168.112.254 255.255.255.0

[/box]

3. To get traffic working to the internet you will need to specify a ‘route’ to your outside router.

[box]

Petes-ASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

[/box]

4. Turn on ‘Hair Pinning’ (the ability to route traffic back out of the same interface it came in through). and allow traffic to pass between interfaces.

[box]

Petes-ASA(config)# same-security-traffic permit inter-interface
Petes-ASA(config)# same-security-traffic permit intra-interface

[/box]

5. Out of the box, if you have not configured any access-lists then you can skip this step, as traffic will flow from a more secure interface (the inside and the phone one) to a less secure interface (the outside one). Here I’m going to use an ACL and allow all traffic anyway.

[box]

Petes-ASA(config)# access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
Petes-ASA(config)# access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any
Petes-ASA(config)# access-group outbound in interface inside
Petes-ASA(config)# access-group VLAN112_outbound in interface PHONE_VLAN_112

[/box]

6. Enable NAT so that all traffic leaving both the inside VLAN and the Phone VLAN network get NATTED to the public IP address.

[box]

Petes-ASA(config)# global (outside) 1 interface
Petes-ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Petes-ASA(config)# nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0

[/box]

7. Now setup ‘static’ NAT so that traffic travelling between the inside VLAN and the phone VLAN does NOT get NATTED.

[box]

Petes-ASA(config)# static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
Petes-ASA(config)# static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0

[/box]

8. Enable routing, and set the MTU for all three VLANs.

[box]

Petes-ASA(config)# router eigrp 500
Petes-ASA(config-router)# network 192.168.12.0 255.255.255.0
Petes-ASA(config-router)# network 192.168.112.0 255.255.255.0
Petes-ASA(config-router)# passive-interface outside
Petes-ASA(config-router)# exit
Petes-ASA(config)# mtu inside 1500
Petes-ASA(config)# mtu outside 1500
Petes-ASA(config)# mtu PHONE_VLAN_112 1500

[/box]

9. Save the changes, and give it a test.

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

 

Full Config for you to Copy and Paste;

[box]

interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.254 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.123 255.255.255.248 
!
interface Vlan112
nameif PHONE_VLAN_112
security-level 100
ip address 192.168.112.254 255.255.255.0 
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 112
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list VLAN112_outbound extended permit ip 192.168.112.0 255.255.255.0 any 
access-list outbound extended permit ip 192.168.12.0 255.255.255.0 any 
! 
mtu inside 1500
mtu outside 1500
mtu PHONE_VLAN_112 1500
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (PHONE_VLAN_112) 1 0.0.0.0 0.0.0.0
!
static (inside,PHONE_VLAN_112) 192.168.112.0 192.168.12.0 netmask 255.255.255.0 
static (PHONE_VLAN_112,inside) 192.168.112.0 192.168.112.0 netmask 255.255.255.0
!
access-group outbound in interface inside
access-group VLAN112_outbound in interface PHONE_VLAN_112
!
router eigrp 500
network 192.168.12.0 255.255.255.0
network 192.168.112.0 255.255.255.0
passive-interface outside
!
route outside 0.0.0.0 0.0.0.0 123.123.123.124 

[/box]

 

Related Articles, References, Credits, or External Links

NA