topic Re: IPSEC question in General Topics

IPSEC question

donathon — Mon, 13 Mar 2017 05:39:02 GMT

Hi,

I have an existing site with Cisco ASA IPsec tunnel to my HQ Site with Palo Alto firewall. Users at the existing site obtained their IP
address via DHCP Server configured on the ASA.T he inside interface is G0/0 with 10.10.1.10/24 and outside interface is ISP public IP
address. PAT translation is configured for internet access. For internal users to access the servers in HQ, it is configured with nat
exemption. There is no DMZ interface. Default route goes to the ISPA next at branch site. On HQ side, default route configured to ISPB
next hop.

There will be a new office setup in another location with another new Cisco ASA IPsec tunnel back to the same HQ site PA FW. The
inside interface on this new firewall is also G0/0 10.10.1.10/24, PAT translation for internet and also nat exemption for users to access
HQ servers.DHCP server will also be configured on the new ASA, The new office has different ISP provider.Eg ISP C and ISP D on each
side.

Just wanted to ask some subnet concepts and IP addressing at the existing site and also the new site for the IPsec parallel migraton.

In order to run IPsec on both locations parallel to HQ, on existing site, Could i just change the DHCP range to be 10.10.1.1
10.10.1.128 on the existing branch site ASA. For new site, the DHCP range will be 10.10.1.129 10.10.1.254. There will be no
additional tunnel interface created at the PA FW in HQ. Will this method works? The inside ASA interface on both existing and new site is still 10.10.1.10/24.

Re: IPSEC question

santonic — Mon, 13 Mar 2017 07:18:13 GMT

Not pretty but it would work. Just make sure routes on PA are correct: 10.10.1.0/25 to the first tunnel interface and 10.10.1.128/25 to the second. However for IPSEC to be established with current settings you will have to keep Proxy IDs on PA as 10.10.1.0/24 for both.

Just out of curiosity; why not just setup 2nd location with 10.10.2.0/24 network? I doubt you're running out of private classes?

Re: IPSEC question

donathon — Mon, 13 Mar 2017 07:22:02 GMT

Won't the return traffic have issues since the gateway are the same but yet the host are on 2 physically disconnected IPSEC tunnel? Would services that rely on broadcast traffic still work since it is the same broadcast domain but on 2 physical links?

Re: IPSEC question

santonic — Mon, 13 Mar 2017 07:26:04 GMT

Why would the gateway be the same? You mean for routes that point into IPSEC tunnel?

Point those routes to interace only, not specific IP.

Like:

10.10.1.0/25 next hop interface tunnel.x1

10.10.1.128/25 next hop interface tunnel.x2

Re: IPSEC question

donathon — Mon, 13 Mar 2017 07:38:51 GMT

As mentioned in the first post. There is no subnetting in place. Basically, both of the tunnel is using /24 which have the same gateway and same broadcast domain. The only thing that is different is the DHCP scope is active for the first tunnel (.1-.128) only and the 2nd tunnel we are going to set static IPs. DHCP would not be possible for the 2nd tunnel.

Re: IPSEC question

santonic — Mon, 13 Mar 2017 07:44:21 GMT

Ohh, I missed the part about 'There will be no additional tunnel interface created at the PA FW in HQ'

How will you make it work then? I don't see a way without additional IPSEC configuration (with needed tunnel interface) on PA.

Re: IPSEC question

donathon — Mon, 13 Mar 2017 07:47:00 GMT

So do you know of any method of making this work? Is this technically not possible?

Re: IPSEC question

santonic — Mon, 13 Mar 2017 07:52:38 GMT

Why not make second IPSEC tunnel on PA? Then everything would be possible (and easy).

Re: IPSEC question

donathon — Mon, 13 Mar 2017 07:58:13 GMT

Well that's not what our Manager that runs network and the firewall says. I am saying that it will not work he is inisting that it will work. So here I am asking if this is even technically feasible.

Re: IPSEC question

santonic — Mon, 13 Mar 2017 08:07:37 GMT

Hehe, i feel sorry for you 🙂

Nope, IPSEC would be flapping between both sites imo. If it would work at all (it would have to be setup with dynamic IP etc..)

Re: IPSEC question

donathon — Mon, 13 Mar 2017 08:11:01 GMT

I am sorry how would dynamic IP work???

Re: IPSEC question

santonic — Mon, 13 Mar 2017 08:18:22 GMT

If you setup on PA IKE gateways with dynamic IPs, aggresive mode IKE and some other sort of ID for phase 1 both locations would be able to establish IPSEC tunnel. But I'm not sure what would happen if they do it at same time, probably IPSEC flapping. And there is no way to distinguish which traffic to route where.

Re: IPSEC question

donathon — Mon, 13 Mar 2017 08:27:29 GMT

Thanks a million!!!

Re: IPSEC question

santonic — Mon, 13 Mar 2017 08:35:21 GMT

Np.