topic Can I do load-sharing on the ASA when using Site-to-Site VPN? in Network Security

Can I do load-sharing on the ASA when using Site-to-Site VPN?

Thotsaphon Lueangwattanaphong — Mon, 11 Mar 2019 15:07:37 GMT

I'm using ASA as a VPN concentrator on HQ site. I've used Public IP addresses on both interfaces,Inside and Outside interfaces. I've had 4 branch sites connecting to HQ using Site-to-Site VPN. How can I do load-sharing with those 2 interfaces on ASA? What I want to do is that 2 branch sites peer with the outside interface and the other 2 branch sites peer with the inside interface. Is this possible? If not,What's the best practice to do?

TIA

Toshi

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

andrew.prince — Fri, 20 Mar 2009 08:55:38 GMT

Toshi,

This is not load sharing. Best practise is to have the VPN's terminate on the outside interface. The ASA does not support Site-to-Site VPN load Balancing.

HTH>

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

Thotsaphon Lueangwattanaphong — Fri, 20 Mar 2009 18:42:54 GMT

Hi Andrew,

Thanks for the prompt. What I'm going to do at HQ site is as follows:

- I've got 2 WANs (2 ISPs)

- I've got a load balance box.

- I've got 2 Public IP Blocks from 2 ISPs

ASA-->Default Route--> LoadBalanceBox--> Separate 2 Wans(2 ISPs)

Outside(Untrust) interface will be assigned with the public ip address of ISP-A.

Inside(Trust) interface will be assigned with the public ip address of ISP-B.

I've got 4 branch sites to do site-to-site VPN with HQ site.

I want the 2 branch sites to peer with the outside interface on the ASA (Via ISP-A).

I want the other 2 branch sites to peer with the inside interface on the ASA (Via ISP-B). But traffic will go from outside-to-inside. Is this allowed by ASA?

Hopes I explained a bit more about my question in detail.

Please share what you guys think.

TIA

Toshi

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

andrew.prince — Fri, 20 Mar 2009 19:05:18 GMT

Toshi,

I have a question - why do you want to terminate the VPN's on seperate interfaces, but allow them to commincate together? You may as well just terminate them on 1 interface - then you have an interface to spare.

HTH>

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

Thotsaphon Lueangwattanaphong — Fri, 20 Mar 2009 19:26:04 GMT

Hi Andrew,

That's why I called "Load-Sharing". I want to use 2 ISPs for peering IPSec VPN. Actually I can do NAT(udp/500,4500) on the device connecting to the ISP-A to terminate IPSec packet on the outside interface as the packets coming from the ISP-B. I just want to know that ASA allows us to do IPsec peer with the inside interface but packets coming from the outside interface or not.

Thanks,

Toshi

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

JamesLuther — Fri, 20 Mar 2009 19:28:03 GMT

Hi Toshi,

This isn't how I would implement.

It sounds like you have two Provider Allocated (PA) IP ranges and therefore you require two interfaces with public IPs. However I would configure two outside interfaces and IP your inside interface using private addressing. ie

interface Ethernet0

nameif ISP1

security-level 0

200.1.1.1

interface Ethernet1

nameif ISP2

security-level 0

195.1.1.1

interface Ethernet4

nameif inside

security-level 100

ip address 192.168.1.1

VPN traffic will be allowed to go from outside to inside if it's defined in the crypto ACL.

There are also lots of other designs you could do ie with a layer of routers and NAT or multi context mode ASA.

Regards

James

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

Thotsaphon Lueangwattanaphong — Fri, 20 Mar 2009 19:34:57 GMT

Hi James,

Thanks for that. The inside interface is connecting to all hosts assigned with the public ip addresses of ISP-A. This is the existing network. That's why I can't do 2 outside interfaces on the ASA

Thanks,

Toshi

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

andrew.prince — Fri, 20 Mar 2009 20:17:07 GMT

Toshi,

How many interfaces does your device actually have? I ask as if you use the inside interface for this task - how are you going to monitor/troubleshoit/configure the device?

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

Thotsaphon Lueangwattanaphong — Fri, 20 Mar 2009 20:40:54 GMT

Andrew,

Don't get me wrong. I indeed have 2 interfaces,Outside and Inside. They both have been assigned with the different public ip addresses from the different ISPs. My question is "Does ASA allow us to use the inside interface to do IPSec peer with the other devices comming from the outside interface?".

Thanks

Toshi

Re: Can I do load-sharing on the ASA when using Site-to-Site VPN

andrew.prince — Fri, 20 Mar 2009 21:30:47 GMT

In theory - yes.

It would be alot easier though if you connected the outside interface to a switch - and a port that was a trunk.

They you could create sub-interfaces of the outside interface, and give them the same security level - while allowing you to use the inside interface for management.