Most Hub/Spoke designs have a redundant ASA (Hub) in the datacenter, mostly dual-homed. But when it comes to the client side (Spoke) you can have multiple cheap uplinks like VDSL, ADSL and LTE.
With EasyVPN you can only have one backup connection, e.g. VDSL as primary and ASDL as a secondary. But what happens when there's an outage at the DSL provider? You could use LTE as a third backup solution. Now there comes IKEv2 into play ...
I only add the required lines to the client and assume you already have a running setup like in
interface Vlan51 description BackupDSL ip address 192.168.1.50 255.255.255.0 ip nat outside ip virtual-reassembly in no autostate crypto map cmap
interface Vlan52 description LTE ip address 192.168.8.50 255.255.255.0 ip nat outside ip virtual-reassembly in no autostate crypto map cmap
Please select 4 publicly pingable and stable addresses. I wont post some of them, please search around, there are enough.
ip sla 100 icmp-echo <pingable-address1> source-interface Dialer0 threshold 2 frequency 10 ip sla schedule 100 life forever start-time now ip sla 101 icmp-echo <pingable-address2> source-interface Dialer0 threshold 2 frequency 10 ip sla schedule 101 life forever start-time now
ip sla 200 icmp-echo <pingable-address3> source-interface Vlan51 threshold 2 frequency 10 ip sla schedule 200 life forever start-time now ip sla 201 icmp-echo <pingable-address4> source-interface Vlan51 threshold 2 frequency 10 ip sla schedule 201 life forever start-time now
Now we set a static routing for these addresses. PLEASE: Don't use your provider DNS servers for pinging, you won't be able to do fast name resolution if you have a problem with one line!!
ip route <pingable-address1> 255.255.255.255 Dialer0 ip route <pingable-address2> 255.255.255.255 Dialer0 ip route <pingable-address3> 255.255.255.255 192.168.1.1 ip route <pingable-address4> 255.255.255.255 192.168.1.1
Set up boolean tracking, so both adresses have to be down. More stable than pinging only one address:
track 100 ip sla 100 reachability
track 101 ip sla 101 reachability
track 200 ip sla 200 reachability
track 201 ip sla 201 reachability
track 1 list boolean or object 100 object 101 ! track 2 list boolean or object 200 object 201
Finally the default routes:
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1 ip route 0.0.0.0 0.0.0.0 192.168.1.1 170 track 2 ip route 0.0.0.0 0.0.0.0 192.168.8.1 254
So you default-gw is Dialer0, when both pingable addresses are unreachable, first route will be deleted and the second one comes into play. When pingable-address3+4 is also unreachable, second default route will also be deleted and the last comes into play. When the hosts come back the routes will be inserted again.
If you don't have much traffic but what the IPSec always up, you could create a third SLA tracking to always trigger the VPN:
ip sla 3 icmp-echo <pingable-address5> source-interface Vlan1 threshold 2 frequency 10 ip sla schedule 3 life forever start-time now
You don't need any specific route, if shall only be routed through the current default gateway and have to met the IPSEC policy.
Hello, I have a couple of firewalls on FMC 1000, and two internet routers in front of the firewalls.I have enabled anyconnect VPN and a nat was added to use anyconnect and RA VPN.then i have configured PBR to use one internet link for some vlans and ...
Hi we implemented ISE 2.4 along with proxy server. we've noticed that if a new user is trying to logon to windows he got an error message "there are currently no logon servers available to service the logon request". the cached user can log...
Hi All, Please find attached diagram where on my ASA SSL VPN is configured to access my internal network behind my another vendor firewall i.e FORTIGATE. But Now my Company wants that users from outside connect to SSL Vpn using an ASA and after ...
Hi I would like to generate a report to view top users by URL category, how can I generate such report in FMC?When I click any URL Category in Dashboard it open it in Connection Events, not an overview report like Context Explorer. Thanks
Hi, I'm running outdated and unsupported v.4.9.3 with an HA pair of CAMs and HA pair of CASs. Using basic captive portal for both guest unsecured and employee secured wireless authentication, along with MAC AUTH. I have been using two SSL certificates ove...