Wednesday, August 14, 2013

Cisco ASA: Load Balancing With Dual ISP - Separation Of VPN And Internet Traffic

Have you ever needed to run your VPN traffic across one ISP link and all your Internet (youtube, ESPN, etc) traffic across your other ISP link?  I came across a customer that wanted to do just that.  They wanted to keep the two types of traffic separate from each other.  They wanted the DSL link to host the VPN traffic and let all other web browsing have the T1 link.  As you know, the ASA does NOT do PBR (policy based routing).  So, how do you overcome this small detail?
Through static routing.  Thats the only way to do it.  So you can 'cheat the system', so to speak, by doing static routing.  But if you do that, you can forget ISP failover.  So below is the topology and some highlights of the config to show you how to do this.
And now the config (unnecessary parts cut out for brievity)  GREEN is DSL traffic config, while ORANGE is Internet traffic config:
sh run
: Saved
:
ASA Version 8.2(5)
!
hostname 5510ASA
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address pppoe 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.105.1 255.255.255.0
!
interface Ethernet0/3
 speed 100
 nameif main_net_T1
 security-level 0
 ip address 7.7.7.6 255.255.255.240 
!
 same-security-traffic permit inter-interface
access-list nonat extended permit ip 192.168.105.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.105.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list nonat extended permit ip 192.168.105.0 255.255.255.0 192.168.203.0 255.255.255.0 
access-list nonat extended permit ip 192.168.106.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.106.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list nonat extended permit ip 192.168.106.0 255.255.255.0 192.168.203.0 255.255.255.0 
access-list nonat extended permit ip 192.168.105.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list nonat extended permit ip 192.168.106.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.105.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.105.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.105.0 255.255.255.0 192.168.203.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.106.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.106.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list vpn-acl extended permit ip 192.168.106.0 255.255.255.0 192.168.203.0 255.255.255.0 
access-list  secondremotesite extended permit ip 192.168.105.0 255.255.255.0 192.168.150.0 255.255.255.0 
access-list  secondremotesite extended permit ip 192.168.106.0 255.255.255.0 192.168.150.0 255.255.255.0 

global (outside) 1 interface
global (main_net_T1) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route main_net_T1 0.0.0.0 0.0.0.0 7.7.7.7 1
route outside 8.8.8.9 255.255.255.255 12.12.12.25 1
route outside 45.45.45.45 255.255.255.255 12.12.12.25 1
route outside 192.168.200.0 255.255.255.0 12.12.12.25 1
route outside 192.168.201.0 255.255.255.0 12.12.12.25 1
route outside 192.168.202.0 255.255.255.0 12.12.12.25 1
route outside 192.168.203.0 255.255.255.0 12.12.12.25 1
route outside 192.168.150.0 255.255.255.0 12.12.12.25 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set 3DES esp-3des esp-none 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn_map 65535 set pfs 
crypto dynamic-map dyn_map 65535 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address  secondremotesite
crypto map outside_map 20 set peer 8.8.8.9 
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 30 match address vpn-acl
crypto map outside_map 30 set peer 45.45.45.45 
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map
crypto map outside_map interface outside
crypto map main_net_T1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map main_net_T1_map interface main_net_T1
crypto isakmp identity hostname 
crypto isakmp enable main_net_T1
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

vpdn group ISP request dialout pppoe
 vpdn group ISP localname DSL@att.net
vpdn username DSL@att.net password DSLpassword

tunnel-group 45.45.45.45 type ipsec-l2l
tunnel-group 45.45.45.45 ipsec-attributes
 pre-shared-key password1
tunnel-group 8.8.8.9 type ipsec-l2l
tunnel-group 8.8.8.9 ipsec-attributes
 pre-shared-key password2
!

5 comments:

  1. You don't have to completely forget ISP failover. I have a system running a similar config with full failover capability. In order to accomplish this, I had to set up a back-up VPN and multiple SLA's: One for my internet ISP at site 1, another for my VPN ISP (icmp to site 2) at site 1, and yet another for the VPN connection at site 2.

    Internet ISP goes down at site 1:
    Internet traffic is rerouted to the next available route, which is my VPN ISP.

    VPN ISP goes down at site 1:
    VPN traffic is rerouted through back-up VPN over internet ISP.
    Site 2 shows no connectivity on primary VPN and reroutes VPN traffic through back-up VPN.

    Might I add that site 1 also has redundant ASA's... This was a headache to get right, but now it's a thing of beauty. Downtime in any given failover situation is about 3 seconds.

    - Mike

    ReplyDelete
    Replies
    1. Mike, great info. Thanks for sharing.

      Delete
    2. Great job Mike. But I think it could be more easier for learners if you mention remote IP details along with design, here ACL and routing part is bit complicated for learners.
      And hopefully interfaces which are allocated for internet and VPN is wrongly configured to other interfaces, if we consider above diagram.

      Any way Thanks for sharing extraordinary configuration. :)

      Chandan Dey

      Delete
  2. can you show us full configuration

    ReplyDelete
    Replies
    1. That pretty much is the full config.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.