Cisco ASA 5506-X/W came out as a perfect fit for Home/Small office network with NG Firewall, built-in Wireless AP (LWAP capable) and FirePOWER IPS/URL features that were lacking on ASA5505. However, in remote access VPN setup it looked really ugly when every port had to be on its own Layer 3 gateway. Lack of bridging functionality broke features like AirPrint forcing people to buy a switch and external AP to get around these limitations.
Finally, update came out with interface bridge feature and support for VPN connectivity. With this in mind, we can now deploy it as complete security solution for remote users and sites. In this post, I’ll go over configuration specifics and some work around needed to make it work.
Cisco ASA: 9.7(1)8
Before we go any further be aware of this bug. At the time of this writing the fix is to disable any dynamic and multicast routing .
This setup is for Remote user working from home office but configuration can be easily tweaked to support small office (expand DHCP scope and add a layer 2 switch).
Port 1 will be set up for DHCP Internet/modem connection. Ports 1/2 Vlan100 (10.x.x.0/24) traffic will be encapsulated over the tunnel to the Primary datacenter (dc1). Port 1/3 Vlan200 (10.y.y.0/24) traffic will be encapsulated over a different tunnel to Secondary/Backup (dc2) datacenter. There are a few reasons for this. First and obvious is redundancy. If connectivity to dc1 fails user can simply move the cable over to port 1/3 and be connected through a backup tunnel. The other reason is troubleshooting purposes. A lot of times especially with Voice and Video streams when user is reporting connectivity issues it will be much easier to rule out the path. All you need to do is to move cable over to next port.
BVI interface can not be used to manage ASA remotely over VPN tunnel.
To manage ASA over VPN Management IP has to be assigned to a physical interface. We can do it 2 ways: either use 2 ports (1/6 and 1/7) so we do not rely on user connectivity or use port 1/8 and reuse the same subnet for FirePOWER (FP) management. If physical ports availability is not limited I’d prefer 1st option and I’ll explain why later.
Now configuration breakdown.
ip address dhcp setroute
Primary and Backup BVI Interfaces.
ip address 10.x.x.1 255.255.255.248
ip address 10.y.y.1 255.255.255.248
Assign Vlans to interfaces. Note that you still need to specify nameif and security-level commands otherwise traffic will not pass.
If you need to configure trunk interface (for layer 2 switch) then it will look similar to configuration below. Again do not forget to apply name and security level to logical interfaces.
no ip address
Next, configure dedicated Management interface for ASA. I’ll use dc1 subnet for management.
ip address 10.x.x.253 255.255.255.252
For FP management I’ll user subnet routed over to dc2 for ASA fallback access (see Part2).
ip address 10.y.y.9 255.255.255.252
WiFi Interface setup. As you can see now we use same Vlan 100 for IP address assignment which resolves AirPrint issues. If AP is managed by Wireless Lan Controller (WLC) then you can match WiFi data Vlan (300 in this example) to corporate setup. No need to create dedicated Flex group on WLC.
ip address 10.y.y.253 255.255.255.252 ///dc2 subnet was used as an example
Of course, your interface names will show up on FMC device management screen and they will need to be assigned to security zones like any other named interface.
Next configure NAT and PAT.
object-group network OG_RFC-1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (any,outside) source static OG_RFC-1918 OG_RFC-1918 destination static OG_RFC-1918 OG_RFC-1918 no-proxy-arp route-lookup
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface
Setup management and monitoring.
aaa-server TACACS+ (Management) host ***
snmp-server host Management *** community ***
logging host Management ***
http server enable
http 0 0 Management
ssh 0 0 Management
dhcpd dns ***
dhcpd domain ***
dhcpd option 150 ip *** // for the IP phones if needed
dhcpd option 43 hex *** // for WLC if needed
dhcpd address 10.x.x.2-10.x.x.6 inside-dc1
dhcpd enable inside-dc1
dhcpd address 10.y.y.2-10.y.y.6 inside-dc2
dhcpd enable inside-dc2
dhcpd address 10.y.y.254-10.y.y.254 wifi-mgmt
dhcpd enable wifi-mgmt
With FP I found it much easier to use DHCP for IP address assignment as it pulls most of the settings during configuration (except hostname which can be assigned later). DHCP pool contains single IP which guarantees same address assignment after reboot.
dhcpd address 10.y.y.10-10.y.y.10 inside8
dhcpd enable inside8
This should be all you need for network and packet forwarding through ASA. In my next post I’ll cover VPN configuration specifics.