Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Have Dual ISP, want incoming IPSEC from BOTH ISPs... what is the proper hardware/config?

Posted on 2009-07-04
6
Medium Priority
?
649 Views
Last Modified: 2012-05-07
Please read over the question and answer for:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24537164.html

Basically the answer is that I can't accomplish what I want with what I have.  So now I'm asking the experts: what is the proper configuration to fulfill these requirements:

Dual ISP.
The default route for outgoing traffic will be ISP1, unless it goes down, then ISP2 should take over.  That part is simple enough I believe.

The only incoming traffic is Cisco VPN Client (IPSEC), but it needs to be active on BOTH ISP's at the same time.   A user should be able to connect to the static IP of ISP1, or the static IP of ISP2.  And succesfully make an IPSEC connection.   This is where my current hardware/configuration doesn't work.  Reviewing the question will tell you why.

More details are in the original question, but right now we have a Cisco 1811 (to deal with dual wan) and behind that is a Cisco 5510 (firewall, access rules, etc), which also is the VPN server.

I'm open to other ideas, including new hardware.

0
Comment
Question by:kevin_u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 24777479
My idea here is to put a secondary IP address on the ASA. You then would route-map the second IP to the second ISP on the 1811. The ASA would perform NAT, Firewall, and VPN.
0
 
LVL 12

Author Comment

by:kevin_u
ID: 24777522
I thought of that, Based on my original experimentation, the ASA box would not route to the secondary interface.  Lets say a user from outside has a public IP of 99.99.99.99.  That user connects to the 1811, ISP2, on ip 2.2.2.2... which then gets forwarded to the ASA on the secondary interface.   The ASA would see the 99.99.99.99 coming into its secondary ip, and when it responds, would then consult the routing table for how to route 99.99.99.99... which, because 99.99.99.99 is a public ip... would be down the primary interface... and therefor out ISP1.
0
 
LVL 15

Accepted Solution

by:
wingatesl earned 1000 total points
ID: 24777660
Second IP address on the primary external interface of the ASA. On the 1811 you would have your default route and then a simple route-map

ip access-list extended director
  permit ip host <secondary ip of ASA> any

route-map director permit 10
   match ip address director
   set ip next-hop <secondary ISP gateway>

an ARP alias on the ASA should allow you to get the secondary IP.
Personally I would ditch the ASA and use an 1811 on each ISP. The IOS firewall is the same as the ASA and it would give you more flexibility.
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 12

Author Comment

by:kevin_u
ID: 24777712
I believe I see how that would work now.  

When I've tried to put a secondary IP on the ASA before, the software required that it be on a separate subnet..   Is there another way to put a secondary IP on that interface?  Or, would I configure two small subnets on the primary external interface of the ASA, and one big one on the 1811?... then use arp aliases?... thinking outloud here...

I appreciate the help!... this should be my last question on the subject!
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 1000 total points
ID: 24780667
My original post to this was
-------------
The setup you want to create cannot be accomplished.

Reason:

The default gateway is ISP1 and since your remote VPN clients come from random IPs, the router dosn´t not know when to route via ISP 2. If this had been L2L tunnels, static that is, it could have been done as you then could have added the static routes via ISP2.

The only way you can use ISP2 when using remote VPN clients is as backup server but ISP1 would be primary.
-------------

However giving it some thought there might be a way. Remember this is just an idea and I have no evidence that it will work and it will messy if it does and I am not totally sure about howto configure it but if you can use any of it be my guest.

It requires the cisco 1811 to run IOS version 12.4(6)T or later and featureset  Advanced Security.

The setup.

Make use of a VRF in the 1811 to terminate the 2nd ISP. Configurer Remote VPN and NAT in the VRF to refelect the configuration of the ASA with reversed route injection. Apply a zone-based firewall policy to allow traffic to go to and from the global routing table. You should be able to configure static routing to point the 1811VRF Remote VPN net into the VRF. In the VRF you make default route via ISP2 and the internal networks via The global routing table.

Set the ASA as gateway in the global routing table of the 1811 and use tracking to failover to ISP2. Make a static route on the ASA pointing the 1811VRF remote VPN net to the global routing table IP.


Thats my idea but I am not sure its solid but certain its not best practice.


0
 

Expert Comment

by:gevansmdes
ID: 24916669
you could simplify this all by getting you your own public IP space from ARIN and then using BGP to your ISP (some ISP won't allow this so call first and switch if they don't) - this will allow the border routers to handle best route as well as the ISP - the ASA will function in the back via whatever IP you give it.. forget all those route statements and arp injections.. BGP will also increase / improve tx and rx to www
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question