What if I have VPN tunnels? I do understand that I will create to private subnets with t he ISPs. However, I have VPN tunnels how can I terminate them on the ASA then?

Regards,

Are you running BGP with your IPS? Are the tunnels for l2l peers or remote access peers?

l2l:

At the remote end create a second peer to the second isp. Enable isakmp keepalives at both ends. When the one ips fails DPD will detect teh tunnel being down and connect to the alternate peer ip.

RA:

If not then all you can do is provide a backup ip to the client. This can be done manually in the client software or pushed from the pix. Apply the vpn crypto configs to both interfaces.

Redundancy

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172787.html#wp1059045

Hello,

Actually, it is l2l VPN. I have only one real subnet from both ISPs. The ISPs are running BGP and advertising my subnet. THe problem is if I follow the above link posted by one of your colleges to have dual ISP then I will have to put private I addresses on the ASA interfaces. Let's say I have put private IP addresses then how can I terminate the l2l VPN on the ASA?

Regards,

The example only uses rfc 1918 addresses. This will work using your actual ip's.

Code 7.21 is required for running route tracking. If your running a failover pair of ASA's there is a bug for route tracking. When failover occurs it breaks tracking.

Bug: CSCsd51407

Is your ASA connecting directly to your ISP routers or do you have your own? Is your ASA directly connected to the router(s)?

If you have 2 edge routers connecting to your isp your better off running hsrp.

If your have 1 edge router connected to each isp you could use ospf to redistribute a default route to the asa.

Thanks,

Chad

Hello,

As Chad mentioned, the example uses Private IP addresses, but you can substitute those with addresses from the Public Subnet that is being advertised by both your ISP. Given that the Active ASA's outside public IP becomes the terminaation point for your L2L tunnels.

Regards

Pradeep

Hello,

Thanks for the feedbacks. Well the issue is that the ISPs are directly terminated on the ASA. We don't have any router on the outside zone. Moreover, if I change the RFC 1918 IP address to the public then here goes another issue which is that we have only one public range from the ISP which is being advertised by them to the internet using BGP. Therefore, I won't be able to put same subnet on two interfaces on the ASA.

Any ideas,

Thanks again in advance,

Regards,

Subnet your ip block.

So if you have 1 /24, subnet it into 2 /25's which will give you 126 ip in each subnet. Have your ISP advertise the /25's.

or

Buy a couple routers.

Thanks,

Chad

Chad one last question before I rate the post. what about the Static NAT entries and PAT that I have? one I shift to the second subnet?

Regards,

You will have to change your nat, pat, static translations and your interface ip's to the new subnets.

Since your isp is doing the routers you will most likely have to work with them.

Let me know if there is anything else.

Thanks,

Chad