Solved

Have Dual ISP, want incoming IPSEC from BOTH ISPs... what is the proper hardware/config?

Posted on 2009-07-04
6
646 Views
Last Modified: 2012-05-07
Please read over the question and answer for:
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24537164.html

Basically the answer is that I can't accomplish what I want with what I have.  So now I'm asking the experts: what is the proper configuration to fulfill these requirements:

Dual ISP.
The default route for outgoing traffic will be ISP1, unless it goes down, then ISP2 should take over.  That part is simple enough I believe.

The only incoming traffic is Cisco VPN Client (IPSEC), but it needs to be active on BOTH ISP's at the same time.   A user should be able to connect to the static IP of ISP1, or the static IP of ISP2.  And succesfully make an IPSEC connection.   This is where my current hardware/configuration doesn't work.  Reviewing the question will tell you why.

More details are in the original question, but right now we have a Cisco 1811 (to deal with dual wan) and behind that is a Cisco 5510 (firewall, access rules, etc), which also is the VPN server.

I'm open to other ideas, including new hardware.

0
Comment
Question by:kevin_u
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 24777479
My idea here is to put a secondary IP address on the ASA. You then would route-map the second IP to the second ISP on the 1811. The ASA would perform NAT, Firewall, and VPN.
0
 
LVL 12

Author Comment

by:kevin_u
ID: 24777522
I thought of that, Based on my original experimentation, the ASA box would not route to the secondary interface.  Lets say a user from outside has a public IP of 99.99.99.99.  That user connects to the 1811, ISP2, on ip 2.2.2.2... which then gets forwarded to the ASA on the secondary interface.   The ASA would see the 99.99.99.99 coming into its secondary ip, and when it responds, would then consult the routing table for how to route 99.99.99.99... which, because 99.99.99.99 is a public ip... would be down the primary interface... and therefor out ISP1.
0
 
LVL 15

Accepted Solution

by:
wingatesl earned 250 total points
ID: 24777660
Second IP address on the primary external interface of the ASA. On the 1811 you would have your default route and then a simple route-map

ip access-list extended director
  permit ip host <secondary ip of ASA> any

route-map director permit 10
   match ip address director
   set ip next-hop <secondary ISP gateway>

an ARP alias on the ASA should allow you to get the secondary IP.
Personally I would ditch the ASA and use an 1811 on each ISP. The IOS firewall is the same as the ASA and it would give you more flexibility.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 12

Author Comment

by:kevin_u
ID: 24777712
I believe I see how that would work now.  

When I've tried to put a secondary IP on the ASA before, the software required that it be on a separate subnet..   Is there another way to put a secondary IP on that interface?  Or, would I configure two small subnets on the primary external interface of the ASA, and one big one on the 1811?... then use arp aliases?... thinking outloud here...

I appreciate the help!... this should be my last question on the subject!
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 250 total points
ID: 24780667
My original post to this was
-------------
The setup you want to create cannot be accomplished.

Reason:

The default gateway is ISP1 and since your remote VPN clients come from random IPs, the router dosn´t not know when to route via ISP 2. If this had been L2L tunnels, static that is, it could have been done as you then could have added the static routes via ISP2.

The only way you can use ISP2 when using remote VPN clients is as backup server but ISP1 would be primary.
-------------

However giving it some thought there might be a way. Remember this is just an idea and I have no evidence that it will work and it will messy if it does and I am not totally sure about howto configure it but if you can use any of it be my guest.

It requires the cisco 1811 to run IOS version 12.4(6)T or later and featureset  Advanced Security.

The setup.

Make use of a VRF in the 1811 to terminate the 2nd ISP. Configurer Remote VPN and NAT in the VRF to refelect the configuration of the ASA with reversed route injection. Apply a zone-based firewall policy to allow traffic to go to and from the global routing table. You should be able to configure static routing to point the 1811VRF Remote VPN net into the VRF. In the VRF you make default route via ISP2 and the internal networks via The global routing table.

Set the ASA as gateway in the global routing table of the 1811 and use tracking to failover to ISP2. Make a static route on the ASA pointing the 1811VRF remote VPN net to the global routing table IP.


Thats my idea but I am not sure its solid but certain its not best practice.


0
 

Expert Comment

by:gevansmdes
ID: 24916669
you could simplify this all by getting you your own public IP space from ARIN and then using BGP to your ISP (some ISP won't allow this so call first and switch if they don't) - this will allow the border routers to handle best route as well as the ISP - the ASA will function in the back via whatever IP you give it.. forget all those route statements and arp injections.. BGP will also increase / improve tx and rx to www
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question