Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
906
Views
0
Helpful
0
Replies

Cisco ASA with multiple ISP connections routing with one dedicated VPN ISP

enelson11
Level 1
Level 1

‎09-04-2018 02:18 PM - edited ‎03-05-2019 10:53 AM

I'm moving offices and redesigning how my network is built. One of the things I plan to do is put both of my internet facing ISPs onto my HA paired 5525X firewalls. Currently one ISP is servicing my internet through the firewalls and the other ISP is servicing S2S VPNs through an older c2900 router. It also acts as a backup INET connection in the event that the primary fails. I want to maintain that ISP as the VPN ISP and the INET ISP as they are, but both handled at the firewall.

 

Essentially configure the routing as

 

route outside 0.0.0.0 0.0.0.0 <INET ISP>

route outside 0.0.0.0 0.0.0.0 <VPN ISP> 100

 

My question is, will I need to do anything extra for the VPN ISP connection beyond doing the following config;

 

<crypto map config>

crypto map outside_map interface <VPN ISP INT>

 

I will also have the AnyConnect remote user VPN coming in on the INET ISP and remote users will need access to those S2S VPNs, would the following configs handle that interface moving;

 

same-security-traffic permit intra-interface

 

Will I need to add;

 

same-security-traffic permit inter-interface

 

?

 

Is there a best practice for this? Peeling the VPNs out of the ASA is doable, but with the c2900 out of SmartNet, the business wishes to move off of it. This would also provide a more fault tolerant solution and easier to add additional VPNs as required. Should I dig into doing some kind of tracking of the INET ISP instead of weighted routes?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card