Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
7
Replies

Please suggest Cisco device for Internet and VPN traffic separation

fgasimzade
Level 4
Level 4

‎09-29-2015 07:35 AM - edited ‎03-05-2019 02:24 AM

Dear all,

I would need you suggestion to find a Cisco device which will support this configuration:

We need to have to ISP connections on a Cisco device (ASA or Router) - one would serve for Internet, another one for site-to-site VPN (no load balancing)

I think it can be done for both ASA or router if:

1. We have a default route configured for Internet for one IPS

2. We have specific route to our remote VPN gateway and for VPN subnets.

For example, lets say we have two ISP gateways: 1.1.1.1 and 2.2.2.2 and our remote VPN gateway 3.3.3.3

In this case we would have a default route for Internet towards one ISP

0.0.0.0 0.0.0.0 1.1.1.1

And specific route for our VPN peer

3.3.3.3 255.255.255.255 2.2.2.2

and for remote subnet

192.168.1.0 255.255.255.0 3.3.3.3

 

Will this configuration work on ASA or Router?

 

Thank you

Labels:
0 Helpful
7 Replies 7

Richard Bradfield
Level 6
Level 6

‎09-29-2015 11:31 PM

For your situation it would be best to use an ASA Firewall to give you that extra security. Because you have a specific rIP address  for your remote VPN site, it is easy to route that thru a different ISP

0 Helpful

fgasimzade
Level 4
Level 4
In response to Richard Bradfield

‎09-29-2015 11:50 PM

I am not sure, but looks like one of the ISP connections is a DSL connection, so I think it is better to have a router with DSL ports
 

0 Helpful

Martin Hruby
Level 1
Level 1

‎09-29-2015 11:32 PM

Hello

From the requirements you wrote, personally I would go for an ISR G2 router, for example a 2911 or 2921 depending on the amount of traffic that you expect.

On this link you will find the throughput (including IPSec traffic) for each platform: http://www.anticisco.ru/pubs/ISR_G2_Perfomance.pdf

Just as a side note, you need to also consider the path for returning traffic not only outgoing. How will the remote VPN gateway reach back to your location - over the primary or backup ISP? This is best solved by forming a BGP adjacency with the ISPs and influencing path selection by manipulating BGP attributes.

Best regards,
Martin

0 Helpful

fgasimzade
Level 4
Level 4
In response to Martin Hruby

‎09-29-2015 11:48 PM

Dear Martin,

Since it is a site-to-site VPN, the return traffic will go through the backup VPN by default, am I correct?

No BGP required..

0 Helpful

Martin Hruby
Level 1
Level 1
In response to fgasimzade

‎09-30-2015 12:01 AM

Hello

Yes returning traffic will go through the VPN it's just a question of how the IPSec-encapsulated packet will reach back to your router (the tunnel headend). The remote gateway will send it to the tunnel termination IP and that's where you need to influence how the packets will come in, whether over ISP-1 or ISP-2. Usually if you use an IP address from the physical WAN interface connecting to an ISP (i.e. not a loopback) then return traffic will come in over the same link, because the ISP advertises the directly connected network throughout the WAN. If you use a loopback IP which is in theory reachable from both ISPs, then you need to influence path selection. It depends on the exact scenario.

Best regards,
Martin

0 Helpful

fgasimzade
Level 4
Level 4
In response to Martin Hruby

‎09-30-2015 12:16 AM

Yes, I will be using IP address from WAN, not loopback

0 Helpful

Martin Hruby
Level 1
Level 1
In response to fgasimzade

‎09-30-2015 12:18 AM

In that case you should be fine.
If you need any assistance with the configuration or troubleshooting, just let us know ;)

Best regards,
Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card