It's time for a topology change!
The other topology was not suited to running the VPNs over it, so I created a new one. We don't have any of the fun stuff like IPS, ACS, ISE, Wifi, or even the ability to run a GUI. It is just going to be CLI only.
I have just done the basic IP addressing so far. The ASAs all get an IP address of .254 for the respective subnet. The routers get an IP, which matches their loopback interface, so Local-1 gets the address 10.1.1.1 on its Gi0/0 interface, and DMVPN-Hub1 has the address 10.1.4.4, and so on.
I have not quite worked out the routing protocols yet; I'll mull it over this weekend. For the moment we will get the ASAs up, mainly the Multicontext Failover ASA and the Transparent ASA.
Transparent ASA
I have already covered transparent ASA's here, so here is just the config
Moving swiftly on...
Multicontext Active/Standby ASAs
I haven't looked at Active/Standby ASAs in Multicontext mode before, but let's start with the failover stuff, then work out the rest.
Now we just copy this, with a minor edit to the second ASA:
Setting up failover first makes life a little easier.
The primary ASA will then restart, and the secondary will take over:
This does not mean that the secondary will have it's mode changed, though:
Let's switch the secondary to multiple-context mode and then failover should work again:
We still need to reenable failover, though (notice that in the second line failover says "off"):
We need to do this on the mate as well:
All in all, it is probably quicker to set up the mode then set up the failover. Nevertheless, we got there in the end. Let's crack on and build the multi-context part. We will need to use sub-interfaces and trunk the switch.
We will have to make a slight change to the main interface to account for the sub-interfaces, by way of setting the VLAN information:.
Let's make sure the interfaces are up:
Now a little testing:
Next, we need to set up ISP-1, and add the VLANs to the intermediate switch, and then test from the ASA:
This is pretty much the very basics done. I won't be overly permissive with the ASA access-lists this time around. Instead, we will be making use of the default deny, and being very strict by allowing just the source and destination IP addresses and relevant ports.
All the IGPs (when I figure out what I will be using and where) will be using authentication, but at least I am in good stead to get started learning the different VPNs.
We will start by getting Local-1 connected to RTD-ASA, which in turn will be connected to CA-Flex, which connects to DMVPN-Hub2. This will use OSPF to propagate the routes, and join RTD-ASA and DMVPN-Hub2 by way of secured OSPF. Once this is done, we'll set up an IPSec VPN between the ASA and DMVPN-Hub1.
But that won't be until next week, because I am taking the kids and wife away for the weekend.
Have a good weekend.