Link to home
Start Free TrialLog in
Avatar of Musafeer79
Musafeer79Flag for Australia

asked on

Cisco ASA redundant Link Configuration

I'm trying to configure redundant ISP link on Cisco ASA 5505 following below link.
www.cisco.com/warp/public/110/pix-dual-isp.pdf 

Internet is working fine from inside to outside but i need to configure web mail access for my external users & still external users need to have VPN access.

Any suggestion on how this can be configured so VPN & webmail access works when primary link is down.
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gavving
gavving
Flag of United States of America image
The problem is that those services are tied to a specific IP number.  The VPN endpoints are IP specific, as is the URL to access Webmail.  The short answer is that the cheapest/easiest way to do this is manual.  Host your DNS with a provider that makes changes quickly, and manually update your webmail URL to point to the failover IP if your primary ISP is down.  As for remote-client VPN, if using Cisco VPN client, it has a Backup option in the client where you can configure the failover IP number, but you'd have to configure the firewall to listen for dynamic VPN tunnels on both ISP interfaces.

The longer answer is BGP.  Obtain a /24 from an ISP, get another ISP to agree to BGP for that IP block, set them both up to BGP advertise that IP block, then configure your firewall to only use that IP block and direct traffic to an upstream router that handles the BGP sessions.  That way your Internet IP number doesn't change with whichever ISP is down.