This document provides a sample configuration for an IOS router that terminates redundant ISP connections. In some cases, a company may require the router to service SSL VPN connections via ISP1 IP and ISP2 IP in an active/active fashion. As the router can only have one default route active at a time, local policy routing can be used to modify the next hop interface for SSL traffic sourced from the ISP2 interface IP.
The sample configuration below satisfies the above requirement for dual active SSL VPN gateways on a single router terminating primary and secondary ISPs. This configuration also addresses the need to automate default route selection using IP SLA and tracking. Policy routing is used to provide for NAT overloading via the primary and secondary ISPs respectively. Local policy routing is used to modify the next hop of the router generated TCP 443 traffic sourced from the ISP2 interface.
interface FastEthernet0/0 description To ISP1 ip address 220.127.116.11 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description To ISP2 ip address 18.104.22.168 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/0/0 description Internal LAN ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto
ip local policy route-map SSL-REDIRECT ip local pool webvpn 192.168.100.10 192.168.100.15 ip local pool webvpn2 192.168.200.10 192.168.200.15 ip route 0.0.0.0 0.0.0.0 22.214.171.124 track 1 ip route 0.0.0.0 0.0.0.0 126.96.36.199 240 ip route 192.168.200.0 255.255.255.0 188.8.131.52
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
ip access-list extended SSL permit tcp host 184.108.40.206 eq 443 any
ip sla 1 icmp-echo 220.127.116.11 source-interface FastEthernet0/0 timeout 1000 threshold 40 frequency 5 ip sla schedule 1 life forever start-time now
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 101 permit ip 10.10.10.0 0.0.0.255 any
route-map SSL-REDIRECT permit 10 match ip address SSL match interface FastEthernet0/1 set ip next-hop 18.104.22.168
route-map ISP1 permit 10 match ip address 101 match interface FastEthernet0/0
route-map ISP2 permit 10 match ip address 101 match interface FastEthernet0/1 !
Hello all, I have 2 ASA connected with a similar configuration than the attached file. If I need to connect, let´s say, 10 more ASAs between them (full mesh). What is the easiest way to do it? I have to create new tunnel-group and a interface for eac...
Hi Team, Is there any repository for the SecureX playbooks/workflows? I see the default workflows that are already available ("Submit URL to Threat Grid", "Take Forensic Snapshot", etc), how can I see/access some popular or recommended workflows to g...
Meet the Authors Video - CCIE Security and Practical Applications in Today’s Network: Zero Trust
(Live event – Thursday, 29th, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 6:00 p.m. Paris)
This event had place on Thursday 29th, October 2020 at 10hrs ...