Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
5
Helpful
2
Replies

RA VPN and dual ISPs

Chess Norris
Level 4
Level 4

‎07-13-2020 11:31 PM - edited ‎07-13-2020 11:32 PM

Hello,

 

We are planing to add another ISP and run it as a backup link, using IP SLA and tracking. The backup link is mainly for Remote Access VPN. I am aware of the concept of configuring a backup interface and use a floating static route, but I want to know what more I need to configure to get it to work? I assume I need to enable webvpn on the backup interface, but how about all the rest of the configuration that are depending on the current outside interface name, like NAT and access-lists. Will the backup  interface be renamed to "outside" or do I need to create additional configuration for everything that points to the outside interface?

 

Thanks

/Chess

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎07-14-2020 12:13 AM

Hi,

As well as the routing, IP SLA - you would create another unique interface name e.g. BACKUP_ISP and then configure outbound NAT rule, NAT Exemption, ACL etc for each unique outside interface.

 

You'll need certificates for both IP address/FQDN, either create 2 certificates or 1 certificate with SAN entries for each FQDN/IP address of the outside interfaces, then enable the trustpoint on the interfaces. E.g.

 

ssl trust-point RAVPN_SAN_CERT PRIMARY_ISP
ssl trust-point RAVPN_SAN_CERT BACKUP_ISP

 NOTE - you cannot create a SAN certificate request on the ASA, use openssl and import.

 

HTH

Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎07-14-2020 01:41 AM

Thank you for the quick reply, Rob. Much appreciated.

 

/Chess

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card