Cisco ASA: Bridge mode with dynamic VPN tunnel. Part1.

Cisco ASA 5506-X/W came out as a perfect fit for Home/Small office network with NG Firewall, built-in Wireless AP (LWAP capable) and FirePOWER IPS/URL features that were lacking on ASA5505. However, in remote access VPN setup it looked really ugly when every port had to be on its own Layer 3 gateway. Lack of bridging functionality broke features like AirPrint forcing people to buy a switch and external AP to get around these limitations.

Finally, update came out with interface bridge feature and support for VPN connectivity. With this in mind, we can now deploy it as complete security solution for remote users and sites. In this post, I’ll go over configuration specifics and some work around needed to make it work.

Cisco ASA: 9.7(1)8

Before we go any further be aware of this bug. At the time of this writing the fix is to disable any dynamic and multicast routing .

This setup is for Remote user working from home office but configuration can be easily tweaked to support small office (expand DHCP scope and add a layer 2 switch).

Port 1 will be set up for DHCP Internet/modem connection. Ports 1/2 Vlan100 (10.x.x.0/24) traffic will be encapsulated over the tunnel to the Primary datacenter (dc1). Port 1/3 Vlan200 (10.y.y.0/24) traffic will be encapsulated over a different tunnel to Secondary/Backup (dc2) datacenter. There are a few reasons for this. First and obvious is redundancy. If connectivity to dc1 fails user can simply move the cable over to port 1/3 and be connected through a backup tunnel. The other reason is troubleshooting purposes. A lot of times especially with Voice and Video streams when user is reporting connectivity issues it will be much easier to rule out the path. All you need to do is to move cable over to next port.

BVI interface can not be used to manage ASA remotely over VPN tunnel.

To manage ASA over VPN Management IP has to be assigned to a physical interface. We can do it 2 ways: either use 2 ports  (1/6 and 1/7) so we do not rely on user connectivity or use port 1/8 and reuse the same subnet for FirePOWER (FP) management. If physical ports availability is not limited I’d prefer 1st option and I’ll explain why later.

Now configuration breakdown.

Internet Interface.

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute

Primary and Backup BVI Interfaces.

interface BVI100
nameif inside-dc1
security-level 100
ip address 10.x.x.1
interface BVI200
nameif inside-dc2
security-level 100
ip address 10.y.y.1

Assign Vlans to interfaces. Note that you still need to specify nameif and security-level commands otherwise traffic will not pass.

interface GigabitEthernet1/2
bridge-group 100
nameif inside2
security-level 100
interface GigabitEthernet1/3
bridge-group 200
nameif inside3
security-level 100

If you need to configure trunk interface (for layer 2 switch) then it will look similar to configuration below. Again do not forget to apply name and security level to logical interfaces.

interface GigabitEthernet1/4
no nameif
no ip address
interface GigabitEthernet1/4.100
vlan 100
bridge-group 100
nameif inside100
security-level 100
interface GigabitEthernet1/4.200
vlan 200
bridge-group 200
nameif inside200
security-level 100

Next, configure dedicated Management interface for ASA. I’ll use dc1 subnet for management.

interface GigabitEthernet1/6
nameif Management
security-level 100
ip address 10.x.x.253

For FP management I’ll user subnet routed over to dc2 for ASA fallback access (see Part2).

interface GigabitEthernet1/8
nameif inside8
security-level 100
ip address 10.y.y.9

WiFi Interface setup. As you can see now we use same Vlan 100 for IP address assignment which resolves AirPrint issues. If AP is managed by Wireless Lan Controller (WLC) then you can match WiFi data Vlan (300 in this example) to corporate setup. No need to create dedicated Flex group on WLC.

interface GigabitEthernet1/9
nameif wifi-mgmt
security-level 100
ip address 10.y.y.253  ///dc2 subnet was used as an example
interface GigabitEthernet1/9.300
vlan 300
bridge-group 100
nameif wifi
security-level 100

Of course, your interface names will show up on FMC device management screen and they will need to be assigned to security zones like any other named interface.

Next configure NAT and PAT.

object-group network OG_RFC-1918

nat (any,outside) source static OG_RFC-1918 OG_RFC-1918 destination static OG_RFC-1918 OG_RFC-1918 no-proxy-arp route-lookup

object network obj_any
nat (any,outside) dynamic interface

Setup management and monitoring.

management-access Management
aaa-server TACACS+ (Management) host ***
snmp-server host Management *** community ***
logging host Management ***
http server enable
http 0 0 Management
ssh 0 0 Management

Configure DHCP.

dhcpd dns ***
dhcpd domain ***
dhcpd option 150 ip ***   // for the IP phones if needed
dhcpd option 43 hex ***  // for WLC if needed
dhcpd address 10.x.x.2-10.x.x.6 inside-dc1
dhcpd enable inside-dc1
dhcpd address 10.y.y.2-10.y.y.6 inside-dc2
dhcpd enable inside-dc2
dhcpd address 10.y.y.254-10.y.y.254 wifi-mgmt
dhcpd enable wifi-mgmt

With FP I found it much easier to use DHCP for IP address assignment as it pulls most of the settings during configuration (except hostname which can be assigned later). DHCP pool contains single IP which guarantees same address assignment after reboot.

dhcpd address 10.y.y.10-10.y.y.10 inside8
dhcpd enable inside8

This should be all you need for network and packet forwarding through ASA. In my next post I’ll cover VPN configuration specifics.


9 comments On Cisco ASA: Bridge mode with dynamic VPN tunnel. Part1.

  • Thanks a lot for making this. I’ve been looking for some clarification with all the changes from the old 5505’s and making sure my design is right. Is it safe to say that as long as there’s a physical interface configured with an IP on the ASA, (gi1/6) connected to another interface in a bridge group (gi1/7 bridge-group 100), that we can establish connection by way of a VPN to BVI100 on the same subnet?

    Also, is the Wifi example from another configuration? Is there a reason to have different VLANs on the same broadcast domain? I’m looking at options to use both the built-in 5506W AP, which is reachable through the back plane, and another AP in an office. I’m wondering if it would be possible to use them in a cluster or whether I’d need a controller.

    • Hi Fred, This will create an overlapping ip with BVI100 so you management has to be on different subnet, but you can do this for SFR if you’d like. As for WiFi you can most definitely use the same vlan id. My example was for WLC when you would have a FlexGroup matching WLAN id to Vlan id. Thanks

  • Hello, Thanks for your feedback on my related problem. I was hoping there was some weird layer2 behavior which prevented the tunnel traffic from reaching the BVI to begin with and having a physical interface in linkstate ‘up’ allowed the traffic to route through the backplane, but I can definitely see where that would create problems. I believe I’m in the clear then, that whatever’s limiting BVI interface’s connectivity over the VPN, there isn’t an on-the-box solution yet.

  • Hello, thanks for this excellent post. Just one question from my side, is it possible to use the ASA55506w as a Wifi Bridge or repeater?

    Tia Roger

  • Nice article but I was a little confused on a couple things. I’m trying to configure a SOHO using a 5506-X and I can’t get the tunnel to establish and I feel it’s NAT related. With the 5506-X, once a tunnel was up are you unable SSH across the tunnel from the head end to manage the 5506-X? Do you need to bridge the Mgmt interface for any mgmt(SSH, HTTPS) or just FirePower?

    • Hi, so the only way I got it to work is to burn another interface as Layer 3 (not bridged). Also I had no luck with using port 8 which is looped to mgmt. If you look at diagram you will see port 6 and 7 looped to each other. the only reason for it is to bring interface up and use port 6 as dedicated management interface.

      interface GigabitEthernet1/6
      nameif Management
      security-level 100
      ip address 10.x.x.253

  • I’m confused as you say in this article:
    Next, configure dedicated Management interface for ASA. “I’ll use dc1 subnet for management”

    BUT that will over lap with your BVI interface as you stated in the comments section to Fred “This will create an overlapping ip with BVI100 so you management has to be on different subnet”

    so my question is how are you configuring BVI and Interface gi1/6 on the same subnet?

    • Hi, With dc1 I refer to the subnet routed to datacenter 1. If you look at the last octet you can see bvi and port 1/6 are on different subnets. It does not have to be that way, just to conserve subnet space.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar