Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
9
Replies

Site to Site VPN using 2 ASA's

Go to solution
Oscar Martinez
Level 1
Level 1

‎03-20-2017 11:26 AM - edited ‎03-12-2019 02:05 AM

I just got this job a couple of weeks ago and they have older Cisco equipment they want me to work with right now before I let them know of my recommendations for upgrading. We have a WAN link from Cox in San Diego, CA. that provides the internet for our remote building across the border into Tijuana,MX through a wireless bridge using Cambium PTP 600 Series radios. We have an ASA 5510 on each side and everything is working as is albeit on a flat network. However we want to add a second WAN link using two seperate technologies. We would have a second Cox business link in San Diego but on the Tijuana side we want to add a 200 Mbps Fiber link. What is the best way to go about configuring the ASA's for it to work? Is a site to site VPN the way go to or is there a more practial and efficient way? What kind of overhead and speed decreases am I looking at? Please let me know if you need any additional information regarding the current network setup.

Any help would be greatly appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Oscar Martinez

‎03-20-2017 02:47 PM

Twice I have asked about the WiFi link and twice you didn't respond.  So I am going to assume it doesn't exist.

For the Mexico ASA you can configure the VPN to use a primary and backup peer IP address.  The primary being the main IP address on the San Diego link you want to use for VPN, and the backup being the second link.

On the San Diego ASA you would configure IP SLA and route tracking.  Use the route tracking to control static routes for the Mexico public IP address and Mexico private subnets.  You need to swing these across as a group when failing over between the ISP links.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-20-2017 12:39 PM

Is the 200Mb/s fibre link in MX an Internet circuit?

So San Diego is going to have to WAN links, or are these actually two Internet links?

What is the speed of the WiFi link between the sites?

0 Helpful

Go to solution
Oscar Martinez
Level 1
Level 1
In response to Philip D'Ath

‎03-20-2017 01:51 PM

Hi Philip thank you for the response. 

So to answer your questions: 

1. Yes,  the 200Mbps fiber link is an internet circuit

2. Yes, San Diego will have two internet links (one for VPN which would be main link and one for redundancy)

 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Oscar Martinez

‎03-20-2017 02:01 PM

This kind of solution is way easier with a Cisco Meraki MX which has built in support for dual Internet links.
https://meraki.cisco.com/products/appliances

Are you going to retain the WiFi link so both sides have the same layer 2 flat network, or are you intending on getting rid of it?

0 Helpful

Go to solution
Oscar Martinez
Level 1
Level 1
In response to Philip D'Ath

‎03-20-2017 02:36 PM

I was thinking of using the second link as a redundant (failover) link. I don't intend it to be a flat network. I'm actually going to do the IP addressing scheme for VLANs soon as well as upgrading the switches since we currently have OLD 3500XL routers. Am going to get 3560's to replace them

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Oscar Martinez

‎03-20-2017 02:47 PM

Twice I have asked about the WiFi link and twice you didn't respond.  So I am going to assume it doesn't exist.

For the Mexico ASA you can configure the VPN to use a primary and backup peer IP address.  The primary being the main IP address on the San Diego link you want to use for VPN, and the backup being the second link.

On the San Diego ASA you would configure IP SLA and route tracking.  Use the route tracking to control static routes for the Mexico public IP address and Mexico private subnets.  You need to swing these across as a group when failing over between the ISP links.

0 Helpful

Go to solution
Oscar Martinez
Level 1
Level 1
In response to Philip D'Ath

‎03-21-2017 07:30 AM

Sorry for the late reply got really busy at work. But I do very much appreciate the help and advice you have given me. Regarding the wifi link  you are correct, we will be getting rid of it. 

As for the Meraki MX solution it does look very attractive to what i'm trying to do and will further look into it. Thank you so much for your help! 

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Oscar Martinez

‎03-21-2017 07:51 AM

No worries.  It would be great if you could rate responses that you think were helpful.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Oscar Martinez

‎03-20-2017 02:02 PM

Do all the Internet circuit's have a static IP?

0 Helpful

Go to solution
Oscar Martinez
Level 1
Level 1
In response to Philip D'Ath

‎03-20-2017 02:32 PM

Yes, all of them have static IPs

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card