It's time for a topology change!
The other topology was not suited to running the VPNs over it, so I created a new one. We don't have any of the fun stuff like IPS, ACS, ISE, Wifi, or even the ability to run a GUI. It is just going to be CLI only.
I have just done the basic IP addressing so far. The ASAs all get an IP address of .254 for the respective subnet. The routers get an IP, which matches their loopback interface, so Local-1 gets the address 10.1.1.1 on its Gi0/0 interface, and DMVPN-Hub1 has the address 10.1.4.4, and so on.
I have not quite worked out the routing protocols yet; I'll mull it over this weekend. For the moment we will get the ASAs up, mainly the Multicontext Failover ASA and the Transparent ASA.
Transparent ASA
I have already covered transparent ASA's here, so here is just the configciscoasa(config)# firewall transparent ciscoasa(config)# hostname Transparent Transparent(config)# int gi0/0 Transparent(config-if)# nameif Inside INFO: Security level for "Inside" set to 100 by default. Transparent(config-if)# bridge-group 1 Transparent(config-if)# no shut Transparent(config-if)# int gi0/1 Transparent(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. Transparent(config-if)# bridge-group 1 Transparent(config-if)# no shut Transparent(config-if)# exit Transparent(config)# Transparent(config)# int bvi 1 Transparent(config-if)# ip add 10.1.7.254 255.255.255.0 Transparent(config-if)# Transparent(config-if)# end Transparent# sh int ip bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.7.254 YES unset up up GigabitEthernet0/1 10.1.7.254 YES unset up up GigabitEthernet0/2 unassigned YES unset administratively down up GigabitEthernet0/3 unassigned YES unset administratively down up GigabitEthernet0/4 unassigned YES unset administratively down up GigabitEthernet0/5 unassigned YES unset administratively down up GigabitEthernet0/6 unassigned YES unset administratively down up Management0/0 unassigned YES unset administratively down up BVI1 10.1.7.254 YES manual up up Transparent# Transparent# ping 10.1.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.7.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Transparent# ping outside 10.1.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Transparent#Moving swiftly on...
Multicontext Active/Standby ASAs
I haven't looked at Active/Standby ASAs in Multicontext mode before, but let's start with the failover stuff, then work out the rest.ciscoasa(config)# hostname FO-ASA FO-ASA(config)# failover FO-ASA(config)# failover lan unit primary FO-ASA(config)# failover lan interface fover eth3 INFO: Non-failover interface config is cleared on Ethernet3 and its sub-interfaces FO-ASA(config)# failover key ***** FO-ASA(config)# failover replication http FO-ASA(config)# failover link fover eth3 FO-ASA(config)# failover interface ip fover 10.1.250.254 255.255.255.0 standbFO-ASA(config)#Now we just copy this, with a minor edit to the second ASA:
FO-ASA# sh run | i fail failover failover lan unit secondary failover lan interface fover eth3 failover key ***** failover replication http failover link fover eth3 failover interface ip fover 10.1.250.254 255.255.255.0 standby 10.1.250.252 FO-ASA#Setting up failover first makes life a little easier.
FO-ASA(config)# mode noconfirm multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot ! The old running configuration file will be written to flash Converting the configuration - this may take several minutes for a large configuration The admin context configuration will be written to flash The new running configuration file was written to flash Security context mode: multiple *** *** --- SHUTDOWN NOW --- *** *** Message to all terminals: *** *** change mode Process shutdown finishedThe primary ASA will then restart, and the secondary will take over:
FO-ASA#
Switching to Active
FO-ASA#
This does not mean that the secondary will have it's mode changed, though:FO-ASA> Mate's operating mode (Single) is not compatible with my mode (Multi). Failover will be disabled. FO-ASA> FO-ASA# Mate's operating mode (Multi) is not compatible with my mode (Single). Failover will be disabled.Let's switch the secondary to multiple-context mode and then failover should work again:
FO-ASA(config)# mode noconfirm multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot !We still need to reenable failover, though (notice that in the second line failover says "off"):
FO-ASA# sh fail
Failover Off
Failover unit Primary
Failover LAN Interface: fover Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
failover replication http
FO-ASA# conf t
FO-ASA(config)# failover
FO-ASA(config)# end
FO-ASA# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: fover Ethernet3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 60 maximum
failover replication http
Version: Ours 9.1(5)16, Mate 9.1(5)16
Last Failover at: 19:17:10 UTC Jun 24 2016
This host: Primary - Negotiation
Active time: 0 (sec)
Other host: Secondary - Not Detected
Active time: 0 (sec)
FO-ASA#
We need to do this on the mate as well:FO-ASA# conf t
FO-ASA(config)# failover
FO-ASA(config)# exit
FO-ASA# .
Detected an Active mate
FO-ASA# Beginning configuration replication from mate.
FO-ASA#
FO-ASA# ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'admin' (1)... Done
INFO: Admin context is required to get the interfaces
INFO: Admin context is required to get the interfaces
Creating context 'admin'... Done. (2)
WARNING: Skip fetching the URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
Crashinfo is NOT enabled on Full Distribution Environment
FO-ASA# End configuration replication from mate.
FO-ASA#
All in all, it is probably quicker to set up the mode then set up the failover. Nevertheless, we got there in the end. Let's crack on and build the multi-context part. We will need to use sub-interfaces and trunk the switch.FO-ASA(config)# failover group 1 ERROR: Failover group can only be created or removed when failover is disabled FO-ASA(config)# no failover FO-ASA(config)# failover group 1 FO-ASA(config-fover-group)# primary FO-ASA(config-fover-group)# preempt FO-ASA(config-fover-group)# exit FO-ASA(config)# failover group 2 FO-ASA(config-fover-group)# primary FO-ASA(config-fover-group)# preempt FO-ASA(config-fover-group)# exit FO-ASA(config)# failover FO-ASA(config)# context C1 FO-ASA(config-ctx)# join-failover-group 1 FO-ASA(config-ctx)# exit FO-ASA(config)# context C2 FO-ASA(config-ctx)# FO-ASA(config-ctx)# join-failover-group 2 FO-ASA(config-ctx)# exit FO-ASA(config)# context C1 FO-ASA(config-ctx)# config-url disk0:/C1.cfg FO-ASA(config-ctx)# allocate-interface e1 FO-ASA(config-ctx)# allocate-interface e0.1 FO-ASA(config-ctx)# exit FO-ASA(config)# context C2 FO-ASA(config-ctx)# config-url disk0:/C2.cfg FO-ASA(config-ctx)# allocate-interface e2 FO-ASA(config-ctx)# allocate-interface e0.2 FO-ASA(config-ctx)# exit FO-ASA(config)#We will have to make a slight change to the main interface to account for the sub-interfaces, by way of setting the VLAN information:.
FO-ASA(config)# int e0.1 FO-ASA(config-subif)# vlan 16 FO-ASA(config-subif)# exit FO-ASA(config)# FO-ASA(config)# int e0.2 FO-ASA(config-subif)# vlan 26 FO-ASA(config-subif)# exit FO-ASA(config)# FO-ASA(config)# changeto con C1 FO-ASA/C1(config)# interface ethernet 1 FO-ASA/C1(config-if)# nameif Inside FO-ASA/C1(config-if)# ip add 10.1.4.254 255.255.255.0 stand 10.1.4.252 FO-ASA/C1(config-if)# no shut FO-ASA/C1(config-if)# int e0.1 FO-ASA/C1(config-if)# nameif outside FO-ASA/C1(config-if)# ip add 10.1.16.254 255.255.255.0 stand 10.1.16.252 FO-ASA/C1(config-if)# no shut FO-ASA/C1(config-if)# exit FO-ASA/C1(config)# changeto con C2 FO-ASA/C2(config)# int e2 FO-ASA/C2(config-if)# nameif inside FO-ASA/C2(config-if)# ip add 10.1.5.254 255.255.255.0 stand 10.1.5.252 FO-ASA/C2(config-if)# no shut FO-ASA/C2(config-if)# int e0.2 FO-ASA/C2(config-if)# nameif outside FO-ASA/C2(config-if)# ip add 10.1.26.254 255.255.255.0 stand 10.1.26.252 FO-ASA/C2(config-if)# no shut FO-ASA/C2(config-if)# end FO-ASA/C2#Let's make sure the interfaces are up:
FO-ASA# conf t FO-ASA(config)# int e0 FO-ASA(config-if)# no shut FO-ASA(config-if)# int e1 FO-ASA(config-if)# no shut FO-ASA(config-if)# int e2 FO-ASA(config-if)# no shut FO-ASA(config-if)# end FO-ASA# wr mem Building configuration... Cryptochecksum: 6d25f26b f839667a 12e15d7c 54dff20a 2017 bytes copied in 0.230 secs [OK] FO-ASA#Now a little testing:
FO-ASA/C1# ping 10.1.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms FO-ASA/C1# FO-ASA/C2# ping 10.1.5.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.5.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms FO-ASA/C2#Next, we need to set up ISP-1, and add the VLANs to the intermediate switch, and then test from the ASA:
ISP-1(config)#int gi0/0 ISP-1(config-if)#no ip add ISP-1(config-if)#exit ISP-1(config)#int gi0/0.1 ISP-1(config-subif)#encap dot 16 ISP-1(config-subif)#no sh ISP-1(config-subif)#ip add 10.1.16.1 255.255.255.0 ISP-1(config)#int gi 0/0.2 ISP-1(config-subif)#no sh ISP-1(config-subif)#enc dot 26 ISP-1(config-subif)#ip add 10.1.26.1 255.255.255.0 ISP-1(config-subif)#exit ISP-1(config)#end ISP-1# ISP-1#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES manual up up GigabitEthernet0/0.1 10.1.16.1 YES manual up up GigabitEthernet0/0.2 10.1.26.1 YES manual up up GigabitEthernet0/1 10.1.7.1 YES manual up up GigabitEthernet0/2 unassigned YES NVRAM administratively down down GigabitEthernet0/3 unassigned YES NVRAM administratively down down ISP-1# SW1(config)#vlan 16,26 SW1(config-vlan)#exit SW1(config)#do sh vlan bri VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3 16 VLAN0016 active 26 VLAN0026 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup SW1(config)#int gi0/0 SW1(config-if)#swi trun enc dot SW1(config-if)#swi mo tru SW1(config-if)#no sh SW1(config-if)# SW1(config-if)#int gi0/1 SW1(config-if)#swi trun enc dot SW1(config-if)#swi mo tru SW1(config-if)#no sh SW1(config-if)#int gi0/2 SW1(config-if)#swi trun enc dot SW1(config-if)#swi mo tru SW1(config-if)#no sh FO-ASA/C1# ping outside 10.1.16.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.16.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms FO-ASA/C1# FO-ASA/C2# ping 10.1.26.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.26.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms FO-ASA/C2# ISP-1#ping 10.1.16.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.16.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms ISP-1#ping 10.1.26.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.26.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/17 ms ISP-1#This is pretty much the very basics done. I won't be overly permissive with the ASA access-lists this time around. Instead, we will be making use of the default deny, and being very strict by allowing just the source and destination IP addresses and relevant ports.
All the IGPs (when I figure out what I will be using and where) will be using authentication, but at least I am in good stead to get started learning the different VPNs.
We will start by getting Local-1 connected to RTD-ASA, which in turn will be connected to CA-Flex, which connects to DMVPN-Hub2. This will use OSPF to propagate the routes, and join RTD-ASA and DMVPN-Hub2 by way of secured OSPF. Once this is done, we'll set up an IPSec VPN between the ASA and DMVPN-Hub1.
But that won't be until next week, because I am taking the kids and wife away for the weekend.
Have a good weekend.