I am working on setting up dynamic redundancy between two ISP's. I do not have a /24 block assigned so BGP peering is not an option. The site is remote and I dont have the ability to easily change the way things are connected. Here is the architecture is illustrated below.
The idea is to take the received default from the ISP's, redistribute it into seperate OSPF ASN's on the border routers, receive it on the ASA's, redistrivute it into the internal ASN (50) and propogate it to the 6500. The 6509 gets two equal cost OPSF derived default routes and load balances internet bound traffic between the ISP's.
Two seperate IPSec tunnels exist back to an Active/Passive HA pair of ASA's at HQ. The object is to get a tunnel active and nailed up over one ISP and not the other.
1) The 6509 receives the defaults on the same vlan as the ASA's inside interfaces land there. I see the default received from one being heard by the other ASA and listed in the OSPF database. I assume I need to filter defaults being recived on the inside interface but cant find a way to do it that works.
2) I'm not clear on how to tell the HQ ASA which tunnel to establish. Theres no GRE over IPSec and I dont want to go there. How do I steer tunnels originating from the Active/Passive HA ASA pair at HQ?
3) Steering tunnel traffic from the remote site is in question as well. If I equal cost load balance, then I'll need to steer the traffic one way or the other as I dont think I can have both tunnels up at the same time. Having trouble with this and need help. A route map on the 6509 might work (changing the next hop address of HQ subnets). Internet traffic would still get balanced but HQ tunnel traffic should steer nicely. Ideas?
4) The final big issue is that I'm not well versed in OSPF and am concerned that there are underlying OSPF issues I'm missing. Thoughts? Red flags?