Solved

Have Dual ISP, want incoming IPSEC from BOTH ISPs... what is the proper hardware/config?

Posted on 2009-07-04
6
647 Views
Last Modified: 2012-05-07
Please read over the question and answer for:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24537164.html

Basically the answer is that I can't accomplish what I want with what I have.  So now I'm asking the experts: what is the proper configuration to fulfill these requirements:

Dual ISP.
The default route for outgoing traffic will be ISP1, unless it goes down, then ISP2 should take over.  That part is simple enough I believe.

The only incoming traffic is Cisco VPN Client (IPSEC), but it needs to be active on BOTH ISP's at the same time.   A user should be able to connect to the static IP of ISP1, or the static IP of ISP2.  And succesfully make an IPSEC connection.   This is where my current hardware/configuration doesn't work.  Reviewing the question will tell you why.

More details are in the original question, but right now we have a Cisco 1811 (to deal with dual wan) and behind that is a Cisco 5510 (firewall, access rules, etc), which also is the VPN server.

I'm open to other ideas, including new hardware.

0
Comment
Question by:kevin_u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 24777479
My idea here is to put a secondary IP address on the ASA. You then would route-map the second IP to the second ISP on the 1811. The ASA would perform NAT, Firewall, and VPN.
0
 
LVL 12

Author Comment

by:kevin_u
ID: 24777522
I thought of that, Based on my original experimentation, the ASA box would not route to the secondary interface.  Lets say a user from outside has a public IP of 99.99.99.99.  That user connects to the 1811, ISP2, on ip 2.2.2.2... which then gets forwarded to the ASA on the secondary interface.   The ASA would see the 99.99.99.99 coming into its secondary ip, and when it responds, would then consult the routing table for how to route 99.99.99.99... which, because 99.99.99.99 is a public ip... would be down the primary interface... and therefor out ISP1.
0
 
LVL 15

Accepted Solution

by:
wingatesl earned 250 total points
ID: 24777660
Second IP address on the primary external interface of the ASA. On the 1811 you would have your default route and then a simple route-map

ip access-list extended director
  permit ip host <secondary ip of ASA> any

route-map director permit 10
   match ip address director
   set ip next-hop <secondary ISP gateway>

an ARP alias on the ASA should allow you to get the secondary IP.
Personally I would ditch the ASA and use an 1811 on each ISP. The IOS firewall is the same as the ASA and it would give you more flexibility.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 12

Author Comment

by:kevin_u
ID: 24777712
I believe I see how that would work now.  

When I've tried to put a secondary IP on the ASA before, the software required that it be on a separate subnet..   Is there another way to put a secondary IP on that interface?  Or, would I configure two small subnets on the primary external interface of the ASA, and one big one on the 1811?... then use arp aliases?... thinking outloud here...

I appreciate the help!... this should be my last question on the subject!
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 250 total points
ID: 24780667
My original post to this was
-------------
The setup you want to create cannot be accomplished.

Reason:

The default gateway is ISP1 and since your remote VPN clients come from random IPs, the router dosn´t not know when to route via ISP 2. If this had been L2L tunnels, static that is, it could have been done as you then could have added the static routes via ISP2.

The only way you can use ISP2 when using remote VPN clients is as backup server but ISP1 would be primary.
-------------

However giving it some thought there might be a way. Remember this is just an idea and I have no evidence that it will work and it will messy if it does and I am not totally sure about howto configure it but if you can use any of it be my guest.

It requires the cisco 1811 to run IOS version 12.4(6)T or later and featureset  Advanced Security.

The setup.

Make use of a VRF in the 1811 to terminate the 2nd ISP. Configurer Remote VPN and NAT in the VRF to refelect the configuration of the ASA with reversed route injection. Apply a zone-based firewall policy to allow traffic to go to and from the global routing table. You should be able to configure static routing to point the 1811VRF Remote VPN net into the VRF. In the VRF you make default route via ISP2 and the internal networks via The global routing table.

Set the ASA as gateway in the global routing table of the 1811 and use tracking to failover to ISP2. Make a static route on the ASA pointing the 1811VRF remote VPN net to the global routing table IP.


Thats my idea but I am not sure its solid but certain its not best practice.


0
 

Expert Comment

by:gevansmdes
ID: 24916669
you could simplify this all by getting you your own public IP space from ARIN and then using BGP to your ISP (some ISP won't allow this so call first and switch if they don't) - this will allow the border routers to handle best route as well as the ISP - the ASA will function in the back via whatever IP you give it.. forget all those route statements and arp injections.. BGP will also increase / improve tx and rx to www
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connectivity issues after power outage 5 77
Management of Huawei B315 2 73
Cisco HSRP - Do i need more than one WAN IP ? 7 52
Hyper-V Replica establishing problem 11 27
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question