Cisco – Route Specific Traffic To Another Firewall

Should the inside interface of the 5545 land first on the L2 edge switches and then trunk to the agg switches for better security or just have the inside drop straight into the Agg layer, also considering that private line traffic may come through yet another interface on the 5545 in the future

Since you did not say that the L2s would be running ACLs, I would not see a difference. I am guessing you will run tagging on the inside ASAs to the distribution layer. My firewalls connect directly to aggregation switches with a dedicated vlan that runs HSRP/VRRP between each set of firewalls and the agg switches.

As to private line traffic, I do not use ASA but I think they have the zones construct like IOS ZBF and you will keep VPN traffic from going to/from the private line traffic without going through packet filtering.

It sounds like default route points to the 5540 and you will use more specific routes to get to your internal VPN access pools and the private line addresses. The 5545 has the default route pointing to the 5540 and it is ok for VPN traffic to hit the internet directly (don't know if you split tunnel on your VPN clients) and other routes to your internal address space.

So I can not see any real problems with your plan. But some of my above assumptions may be wrong

I have to give credit to @ron for this answer.

The policy map was never going to work the way it was previously. @ron suggested a gre tunnel, then protect that with ipsec.

interface Tunnel0
ip address 10.10.10.2 255.255.255.252
ip mtu 1420
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
crypto map IOFVPN

and a route to point to the internal subnet on the remote side with a gateway of the remote side.

S    192.168.10.0/24 [1/0] via 10.10.10.1

I've never used gre before but I will now. Getting the tunnel up was pretty basic both on the cisco and linux ( openswan ) side. Once that was up and running I tested without ipsec.

On my fa0/0 interface, my internal I put:

ip policy route-map PROXY-REDIRECT

route-map proxy-redirect permit 100
 match ip address PROXY-REDIRECT
 set ip next-hop recursive 192.168.10.1

The matching ACL is:

ip access-list extended proxy-redirect
 deny   tcp host 192.168.30.13 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq 443
 permit tcp 192.168.30.0 0.0.0.255 any eq irc
 permit tcp 192.168.30.0 0.0.0.255 any eq 6667
 deny   tcp 192.168.30.0 0.0.0.255 any eq 5938
 deny   tcp any any
 deny   udp any any
 deny   ip any any

As soon as I added that my traffic started passing the way I wanted it. I'll note here that this ACL could be shrunk. I added the implicit deny's because I was having the odd traffic pass over the link.

Once was verified working then I just needed to wrap it in ipsec. Configuring the Cisco side was easy.

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key *********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
 mode transport
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address IPSEC-GRE-IOF

ip access-list extended IPSEC-GRE-IOF
 permit gre host 1.1.1.1 host 2.2.2.2

** Must use transport mode. It took me a bit to figure that one out.

Apply that crypto map to both f0/1 and tun0 and you have a tunnel.

The openswan side is what gave me trouble though this whole thing. Their config is a bit odd and it just took some getting used to.

At the end of the day all traffic that I want is peeled off and routed through an ipsec protected gre tunnel to a remote endpoint.

Enjoy.