dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
989
share rss forum feed


ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA

[Config] New 5510 replacing multiple pieces of OLD equipment

Click for full size
I was handed a ASA5510 last week and told to use it to replace an aging network that was pieced together over the years with some equipment being over 10 years old. The users are almost all remote users with 881 routers using DMVPN and two branch offices connected with a 881 and an old pix, vpn concentrator, and 2600 series router. The pix is just being used as a firewall, the VPN concentrator is used for software clients, and the 2600 is used to just route the traffic.

The plan is to replace the pix, 2600, and concentrator with the ASA5510. I know the ASA is unable to do DMVPN so I believe I will need to keep the 881 in place at both branch offices. The remote users not only use resources from one of the two branch offices but also call and use resources from other remote user's networks.

I've tried creating a very basic config on the ASA with a static route on the ASA sending all traffic for 192.168.200/24 to 192.168.241.3 (881 using DMVPN). I'm able to ping 192.168.200.100 from the ASA with this config but unable to ping it from a workstation on the other side of the ASA. I'm able to get to the internet from the same workstation through the ASA. If I use the ASDM packet tracker and see where the failure is pinging from 192.168.241.50 to 192.168.200.100 it says it is being blocked by the implicit deny all at the end of the ACLs. The only other line in the ACL list is a allow ANY ANY.

I'm looking for any help at this point. Thanks in advance!

pearcy

join:2004-12-08
Chicago, IL

Can you post a copy of your configs? Please remove any sensitive information first.



ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA

download881 config.txt 3,982 bytesdownloadasa config.txt 3,705 bytes
here are the configs I have currently have on the ASA and the 881.


ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA
reply to ooSillyoo

I'm starting to think this is not as simple as other people in my company were thinking.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by ooSillyoo:

I'm starting to think this is not as simple as other people in my company were thinking.

Tell those people that network design and engineering is never an easy job. Unfortunately a lot of people take the result of a good job for granted and make money much more than those poor undervalued engineers


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to ooSillyoo

Transitioning between devices and technologies is not always easy.

And in fact I might even suggest you do this in a stepped release process, not all guns blazing in one go - something which will either work brilliantly, or fail miserably.

Start by getting the ASA installed, connected to the network and reachable, and move things not necessarily one by one, but in groups.

If you have VPN users, get them to reconfigure their client to point to the ASA. Then move some of the remote branches, etc etc.

Unfortunately some people just dont appreciate how difficult things like this can be. When you have a collection of devices spanning a decade, each doing different things, and perhaps from different vendors, it is never easy to consolidate all of them into a single box. You need to spend time to work out how to configure similar functionality on the new device and make sure that it works.

A lab would certainly be useful for you in this situation so that you can trial this without causing production outages...



ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA

TomS - The good thing is I have a "lab" at my house I can test this with. I've done this in steps so far with getting the basic config up to connect to the internet, then I was able to create the VPN connection using an inbound Cisco VPN soft client to replace the 3000 concentrator, then I moved on to the remote VPN clients using DMVPN.

If I reconfigure the remote clients to point to the ASA how would that work when a client is using resources from another remote network? Is all that traffic going to route over the internet from the remote client to the ASA then to the other remote client or would they 881s still create a tunnel like they do using DMVPN?

I'm an RF network guy not a routing and security guy.



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

You wouldnt be touching the configuration related to anything other than establishing a VPN to the ASA (e.g. just changing the IP address), so everything else should just continue to work as is.

I cant say Im an expert with DMVPN, although I have configured it before, but my understanding is that all traffic is passed through the hub in order to reach other spoke sites. But usually spokes are only talking to the hub as the hub is where things like intranet sites etc would live.

Spoke to spoke could be done with dedicated VPNs between them if required.



ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA

Tom,

Based on what I've read the spokes would create a dynamic tunnel to other spokes if a client on one network needed to connect to another. This traffic wouldn't go through the hub. This is very important because we all use IP phones at our remote offices.

The DMVPN works, what I don't understand is why the static route doesn't work. I have a static route in the ASA for the 192.168.200.0 network to go to 192.168.241.2(881). I can ping devices on the 192.168.200.0 network from the 881 and ASA but not a client going through the ASA. If a do a traceroute from the ASA the next hop is the 881.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to ooSillyoo

said by ooSillyoo:

here are the configs I have currently have on the ASA and the 881.

Haven't looked into the 881, but for starters, looks like the ASA has two ACLs, INSIDE_ROUTE and INSIDE_ACCESS_OUT.
What's supposed to do what, first of all. Second, doesn't look like they're applied anywhere -- recall ACLs
have to be bound to an interface before they work. If not, of course your pings are going to be blocked.

I'll need alittle more time to review the configs though.

Regards


ooSillyoo
Not The Brightest Bulb In The Pack
Premium
join:2004-01-13
Lawrenceville, GA

said by HELLFIRE:

Haven't looked into the 881, but for starters, looks like the ASA has two ACLs, INSIDE_ROUTE and INSIDE_ACCESS_OUT.
What's supposed to do what, first of all. Second, doesn't look like they're applied anywhere -- recall ACLs
have to be bound to an interface before they work. If not, of course your pings are going to be blocked.

I'll need alittle more time to review the configs though.

Regards

I've been trying to stumble through the config, have replaced configs, and reloaded without saving every time that this is probably a mess. I'm at the point where I probably will be better off starting over and getting the static routes to work first then go from there.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to ooSillyoo

Unless you have anything pressing in the config, sometime nuking the config and starting fresh
helps, especially if no one bothered maintaining documentation on what stuff did originally.

My 00000010bits.

Regards