09-29-2015 07:35 AM - edited 03-05-2019 02:24 AM
Dear all,
I would need you suggestion to find a Cisco device which will support this configuration:
We need to have to ISP connections on a Cisco device (ASA or Router) - one would serve for Internet, another one for site-to-site VPN (no load balancing)
I think it can be done for both ASA or router if:
1. We have a default route configured for Internet for one IPS
2. We have specific route to our remote VPN gateway and for VPN subnets.
For example, lets say we have two ISP gateways: 1.1.1.1 and 2.2.2.2 and our remote VPN gateway 3.3.3.3
In this case we would have a default route for Internet towards one ISP
0.0.0.0 0.0.0.0 1.1.1.1
And specific route for our VPN peer
3.3.3.3 255.255.255.255 2.2.2.2
and for remote subnet
192.168.1.0 255.255.255.0 3.3.3.3
Will this configuration work on ASA or Router?
Thank you
09-29-2015 11:31 PM
For your situation it would be best to use an ASA Firewall to give you that extra security. Because you have a specific rIP address for your remote VPN site, it is easy to route that thru a different ISP
09-29-2015 11:50 PM
I am not sure, but looks like one of the ISP connections is a DSL connection, so I think it is better to have a router with DSL ports
09-29-2015 11:32 PM
Hello
From the requirements you wrote, personally I would go for an ISR G2 router, for example a 2911 or 2921 depending on the amount of traffic that you expect.
On this link you will find the throughput (including IPSec traffic) for each platform: http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf
Just as a side note, you need to also consider the path for returning traffic not only outgoing. How will the remote VPN gateway reach back to your location - over the primary or backup ISP? This is best solved by forming a BGP adjacency with the ISPs and influencing path selection by manipulating BGP attributes.
Best regards,
Martin
09-29-2015 11:48 PM
Dear Martin,
Since it is a site-to-site VPN, the return traffic will go through the backup VPN by default, am I correct?
No BGP required..
09-30-2015 12:01 AM
Hello
Yes returning traffic will go through the VPN it's just a question of how the IPSec-encapsulated packet will reach back to your router (the tunnel headend). The remote gateway will send it to the tunnel termination IP and that's where you need to influence how the packets will come in, whether over ISP-1 or ISP-2. Usually if you use an IP address from the physical WAN interface connecting to an ISP (i.e. not a loopback) then return traffic will come in over the same link, because the ISP advertises the directly connected network throughout the WAN. If you use a loopback IP which is in theory reachable from both ISPs, then you need to influence path selection. It depends on the exact scenario.
Best regards,
Martin
09-30-2015 12:16 AM
Yes, I will be using IP address from WAN, not loopback
09-30-2015 12:18 AM
In that case you should be fine.
If you need any assistance with the configuration or troubleshooting, just let us know ;)
Best regards,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide