Background

* PIX1/ASA1 establishes site-to-site IPSec VPN tunnels over ISP2 with PIX2/ASA2 and PIX3/ASA3
* Internet traffic goes through Router
* Catalyst 3560 Switch is a Layer-3 capable Switch
* There are a couple of Layer-2 Catalyst 2950 switches as access switches
* Only Router, PIX/ASA, and access switches connect to Catalyst 3560 Switch
* All hosts (servers, PC, printers, etc.) connect to access switches
* There is VLAN 7 as Network Management VLAN to deal with Router and PIX/ASA management (10.1.0.0/24)
* There is a separate VLAN 11 as Production VLAN for hosts (10.1.1.0/24)
* Router management IP address is 10.1.0.7 and PIX/ASA management IP address is 10.1.0.5
* Similarly, Remote Site 2 IP subnets are 10.2.0.0/24 as Network Management VLAN and 10.2.1.0/24 as Production VLAN
* Remote Site 3 IP subnets are 10.3.0.0/24 as Network Management VLAN and 10.3.1.0/24 as Production VLAN

Objective

* Traffic between local network behind the 3560 switch and remote sites go through PIX1/ASA1, PIX2/ASA2, and PIX3/ASA3 (via the IPSec VPN tunnel)
* Internet traffic go through Router
* Catalyst 3560 Switch is to be a Core Switch, controling Layer-2 and Layer-3 network management of VLAN 7 and VLAN 11
* From Layer-2 perspective, only VLAN 11 exists at access switches. VLAN 7 as Network Management VLAN exists at Core and access switches
* From Layer-3 perspective, both VLAN 7 and 11 interfaces exist at Core switch to do the routing and Layer-3 switching (as internal router)

Network Diagram

                                                          == IPSec VPN ==
ISP1 ---- Router ---- Catalyst 3560 Switch ---- PIX1/ASA1 ---- ISP2 ----- PIX2/ASA2
                        |  |        |  |                        |
                Trunks  |  |        |  |  Trunks                |
                      Catalyst    Catalyst                      |
                        2950        2950                    PIX3/ASA3
                      Switch 1    Switch 2

Network Design

The 3560 Switch
* Set the 3560 switch as Core Switch running both Layer-2 and Layer-3 functionality
* There will be trunks between the Layer-2 switches and this 3560
* The 3560 will be doing routing (the Layer-3 functionality) and act as internal router
* As internal router, the 3560 will be default gateway of all local machines
* As internal router, the 3560 also will decide if traffic should go to the router, PIX/ASA, or just local
* For all Internet traffic, the 3560 should point the traffic to the router. You can set this up by creating static route pointing to .7 to reach 0.0.0.0/0
* For all VPN connection to the remote site, the 3560 should point the traffic to the PIX/ASA. You can set this up by creating static route pointing to .5 to reach the remote site subnets.

The Router
* Setup proper NAT/PAT on the router to make sure all local machines can use the router Public IP address to go out to the Internet
* There should be static route pointing to the 3560 to reach all local machines
* There should be static route pointing to the PIX/ASA to reach the remote site via VPN

The PIX/ASA
* No NAT is necessary since the PIX/ASA is only as VPN Concentrator
* There should be static route pointing to the 3560 to reach all local machines
* There should be static route pointing to the router for Internet traffic

Sample Configurations

Router Configuration

service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
!
!
interface Ethernet0
description Facing the ISP (the WAN)
ip address 182.53.4.54 255.255.255.0
ip nat outside
!
interface Ethernet1
description Facing LAN 1
ip address 10.1.0.7 255.255.255.0
ip nat inside
!
!-- Static Route for Internet traffic, which 182.53.4.1 is usually ISP1 router or equipment
ip route 0.0.0.0 0.0.0.0 182.53.4.1
!-- Static Route to reach local subnets
ip route 10.1.0.0 255.255.0.0 10.1.0.2
!-- Static Route to reach remaining subnets within 10.0.0.0/8 (which includes PIX2 and PIX3 subnets)
ip route 10.0.0.0 255.0.0.0 10.1.0.5
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
line con 0
exec-timeout 0 0
logging synchronous
login
transport input none
line aux 0
login
line vty 0 4
login
!
end
 

PIX1/ASA1 Configuration

PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd **** encrypted
hostname PIX1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!
!--- Defining object groups to be used in the rest of configuration
object-group network PIX1-Subnet
network-object 10.1.0.0 255.255.0.0
object-group network PIX2-Subnet
network-object 10.2.0.0 255.255.0.0
object-group network PIX3-Subnet
network-object 10.3.0.0 255.255.0.0
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 2:
!--- The 10.1.0.0/16 is local subnet range to this PIX 1 VPN device as the source subnet
!--- The 10.2.0.0/16 is remote subnet range reside at the PIX 2 remote VPN device as the destination subnet
access-list PIX1-PIX2 permit ip object-group PIX1-Subnet object-group PIX2-Subnet 
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 3:
!--- The 10.1.0.0/16 is local subnet range to this PIX 1 VPN device as the source subnet
!--- The 10.3.0.0/16 is remote subnet range reside at the PIX 3 remote VPN device as the destination subnet
access-list PIX1-PIX3 permit ip object-group PIX1-Subnet object-group PIX3-Subnet 
!
!--- No NAT in place for traffic to other PIX Firewall private networks
!--- This access list associates with the nat 0 (inside) command
access-list nonat permit ip object-group PIX1-Subnet object-group PIX2-Subnet 
access-list nonat permit ip object-group PIX1-Subnet object-group PIX3-Subnet 
!
pager lines 24
logging on
logging facility 20
logging queue 512
mtu outside 1500
mtu inside 1500
ip address outside 182.18.124.153 255.255.255.0
ip address inside 10.1.0.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 access-list nonat
!
!-- Static Route to reach remaing subnets within 10.0.0.0/8 (which includes PIX2 and PIX3 subnets)
!-- Note that 182.18.124.1 is PIX1 default gateway, which is typically ISP2 router or equipment
route outside 10.0.0.0 255.0.0.0 182.18.124.1 1
!
!-- Static Route to reach the Internet
route inside 0.0.0.0 0.0.0.0 10.1.0.7 1
route inside 10.1.0.0 255.255.0.0 10.1.0.2 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
timeout h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address PIX1-PIX2
crypto map newmap 20 set peer 182.18.124.154 
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address PIX1-PIX3
crypto map newmap 30 set peer 182.18.124.157 
crypto map newmap 30 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 182.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 182.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
!
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:436c96500052d0276324b9ef33221b2d
: end
 

Catalyst 3560 Switch

vlan 1,7,11,100
!
ip routing
!
interface FastEthernet0/1
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/7
description Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/8
description Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
description Layer-2 Switch 1 
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/10
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/11
description To Router
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/12
description To PIX1/ASA1
switchport access vlan 7
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan7
description Management
ip address 10.1.0.2 255.255.255.0
!
interface Vlan11
description Servers (Production)
ip address 10.1.1.2 255.255.255.0
!
interface Vlan100
description Users (Production)
ip address 10.1.100.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.0.7
ip route 10.0.0.0 255.0.0.0 10.1.0.5
 

Discussion:
»Design concept

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-05-18 12:48:19