Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6079
Views
0
Helpful
2
Replies

How to use CryptoMaps bound to two interfaces\ISP's

mpisano
Level 1
Level 1

‎10-29-2019 05:24 PM - edited ‎02-21-2020 09:38 AM

I have an ASA 5515X with two Providers and would like to be fault tolerant and pseudo load balance. 

I have bound my crypto maps to both outside interfaces and my remote sites (35) have both ISP's ip's of the ASA and can connect to either.... but not automatically. 

 

Seems that the remote sites will connect to whichever interface has the lowest metric as the static route which makes sense if I was using tracked routes, but that's not what i'm after...

 

I just want the ASA to let the tunnel in on whichever interface it tries to attach on and route the traffic back through that interface\tunnel. Would love to set the ASA to have the same metric on both, or two marked as "Tunneled" but it's not allowed. 

 

Our WAN is global and i'm more worried about a route failure downstream then I am locally. If one of the local ISP fails then the above would still work full scale.

 

Does this feature not exist, I don't mind buying a newer ASA if this is a newer feature. What to others do....?

 

Many thanks in advance,

Mike 

  

0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-13-2019 06:38 PM

I don't think you can do that using an ASA. It's routing features are limited and not generally well-integrated with the VPN features for anything other than default routing.

You would be better off having a FlexVPN or DMVPN with a router headend.

0 Helpful

mpisano
Level 1
Level 1
In response to Marvin Rhoads

‎11-14-2019 07:07 AM

Marvin,

 

First - Thanks for the response. I agree the routing features of the ASA line are limited from it's PIX inception (which did't route at all)

 

Before I totally give up on the ASA's, we have two which we had planned to use as a failover pair, but one stays off and we sync the config for DR. If I was to use both ASA's with my two public's bound to each ASA will that work?

My worries now are about how hairpinning would work if the peers were attached to different ASA's and us at HQ being in the middle of the spoke and hub routing out to each site.

 

Typically we don't NAT the internal 10. traffic, and ACL's protect the subnets except for the pinholes. in the middle\hub is an exchange server and our main AD server and group policy\Kaspersky server (the latter are more bidirectional)

 

Again, really appreciate your advise.

Mike 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card