Solved

Have Dual ISP, want incoming IPSEC from BOTH ISPs... what is the proper hardware/config?

Posted on 2009-07-04
6
644 Views
Last Modified: 2012-05-07
Please read over the question and answer for:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24537164.html

Basically the answer is that I can't accomplish what I want with what I have.  So now I'm asking the experts: what is the proper configuration to fulfill these requirements:

Dual ISP.
The default route for outgoing traffic will be ISP1, unless it goes down, then ISP2 should take over.  That part is simple enough I believe.

The only incoming traffic is Cisco VPN Client (IPSEC), but it needs to be active on BOTH ISP's at the same time.   A user should be able to connect to the static IP of ISP1, or the static IP of ISP2.  And succesfully make an IPSEC connection.   This is where my current hardware/configuration doesn't work.  Reviewing the question will tell you why.

More details are in the original question, but right now we have a Cisco 1811 (to deal with dual wan) and behind that is a Cisco 5510 (firewall, access rules, etc), which also is the VPN server.

I'm open to other ideas, including new hardware.

0
Comment
Question by:kevin_u
6 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 24777479
My idea here is to put a secondary IP address on the ASA. You then would route-map the second IP to the second ISP on the 1811. The ASA would perform NAT, Firewall, and VPN.
0
 
LVL 12

Author Comment

by:kevin_u
ID: 24777522
I thought of that, Based on my original experimentation, the ASA box would not route to the secondary interface.  Lets say a user from outside has a public IP of 99.99.99.99.  That user connects to the 1811, ISP2, on ip 2.2.2.2... which then gets forwarded to the ASA on the secondary interface.   The ASA would see the 99.99.99.99 coming into its secondary ip, and when it responds, would then consult the routing table for how to route 99.99.99.99... which, because 99.99.99.99 is a public ip... would be down the primary interface... and therefor out ISP1.
0
 
LVL 15

Accepted Solution

by:
wingatesl earned 250 total points
ID: 24777660
Second IP address on the primary external interface of the ASA. On the 1811 you would have your default route and then a simple route-map

ip access-list extended director
  permit ip host <secondary ip of ASA> any

route-map director permit 10
   match ip address director
   set ip next-hop <secondary ISP gateway>

an ARP alias on the ASA should allow you to get the secondary IP.
Personally I would ditch the ASA and use an 1811 on each ISP. The IOS firewall is the same as the ASA and it would give you more flexibility.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 12

Author Comment

by:kevin_u
ID: 24777712
I believe I see how that would work now.  

When I've tried to put a secondary IP on the ASA before, the software required that it be on a separate subnet..   Is there another way to put a secondary IP on that interface?  Or, would I configure two small subnets on the primary external interface of the ASA, and one big one on the 1811?... then use arp aliases?... thinking outloud here...

I appreciate the help!... this should be my last question on the subject!
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 250 total points
ID: 24780667
My original post to this was
-------------
The setup you want to create cannot be accomplished.

Reason:

The default gateway is ISP1 and since your remote VPN clients come from random IPs, the router dosn´t not know when to route via ISP 2. If this had been L2L tunnels, static that is, it could have been done as you then could have added the static routes via ISP2.

The only way you can use ISP2 when using remote VPN clients is as backup server but ISP1 would be primary.
-------------

However giving it some thought there might be a way. Remember this is just an idea and I have no evidence that it will work and it will messy if it does and I am not totally sure about howto configure it but if you can use any of it be my guest.

It requires the cisco 1811 to run IOS version 12.4(6)T or later and featureset  Advanced Security.

The setup.

Make use of a VRF in the 1811 to terminate the 2nd ISP. Configurer Remote VPN and NAT in the VRF to refelect the configuration of the ASA with reversed route injection. Apply a zone-based firewall policy to allow traffic to go to and from the global routing table. You should be able to configure static routing to point the 1811VRF Remote VPN net into the VRF. In the VRF you make default route via ISP2 and the internal networks via The global routing table.

Set the ASA as gateway in the global routing table of the 1811 and use tracking to failover to ISP2. Make a static route on the ASA pointing the 1811VRF remote VPN net to the global routing table IP.


Thats my idea but I am not sure its solid but certain its not best practice.


0
 

Expert Comment

by:gevansmdes
ID: 24916669
you could simplify this all by getting you your own public IP space from ARIN and then using BGP to your ISP (some ISP won't allow this so call first and switch if they don't) - this will allow the border routers to handle best route as well as the ISP - the ASA will function in the back via whatever IP you give it.. forget all those route statements and arp injections.. BGP will also increase / improve tx and rx to www
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
using BGP Attributes 2 87
unable to create the folder new folder too many files opened for sharing 3 101
ASA configuration 2 29
Local DNS and Home Routers 4 32
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question