Solved: ASA AnyConnect VPN and Two HA Pairs

PNI-ITRNP · ‎05-30-2013

Looking for some advice, or real world experience on best method to configure AnyConnect VPN access with two ASA HA Pairs.

Here is what I want to do, and I want to see how others have designed this or something similar.

I have two ASA Clusters (as in HA pairs) that will provide SSL/VPN access, the SSL Part is a breeze and I have that configured and works well. My dilemma is in the VPN access, because I have two ASA Clusters what is the best solution for clients receiving an internal DHCP address?

My thought is to have two IP Address scopes on my internal DHCP server, one scope for one ASA Cluster, another scope for the second set of ASA Clusters. Would it make sense to have one interface on each cluster physically attached to a router so the interface can be used as the gateway for each IP Scope? This way I can also set routes internally for the scopes to go back to the proper firewall.

Example:

ASA Cluster 1: Internal DHCP Scope 172.20.1.5 – 172.20.1.254 - Interface is 172.20.1.1 (Gateway)

ASA Cluster 2: Internal DHCP Scope 172.20.2.5 – 172.20.2.254 - Interface is 172.20.2.1 (Gateway)

Or is there a better way to do this? Attached is a simple diagram in order to make it easier to visualize the concept.

BTW – We have two ISPs that provide internet access, which is why we have two ASA Clusters.

Jan Rolny · ‎05-30-2013

Hello PNI-ITRNP,

I have simmilar solution and works fine. Only difference what I have is that I am assigning client IP addresses with ACS RADIUS server.

I think it is good solution. When you will need to solve some problem with client you can better identify client IP address and also find to which location is client trying connect to. also i f one ISP will fail you can connect via backup location.

I have both locations active so client can connect wherever he want. Of course routes inside network are configure so that client can reach LAN from both locations.

Best regards,

Jan

View solution in original post

Jan Rolny · ‎05-30-2013

Hello PNI-ITRNP,

I have simmilar solution and works fine. Only difference what I have is that I am assigning client IP addresses with ACS RADIUS server.

I think it is good solution. When you will need to solve some problem with client you can better identify client IP address and also find to which location is client trying connect to. also i f one ISP will fail you can connect via backup location.

I have both locations active so client can connect wherever he want. Of course routes inside network are configure so that client can reach LAN from both locations.

Best regards,

Jan

PNI-ITRNP · ‎05-30-2013

Jan,

Thanks for the reassurance that I am going down the right path.

Question, how did you handle the client end in terms of the ASA Pair the AnyConnect client goes after to make the VPN connection?

I was thinking round-robin DNS for one hostname, this way there is some sort of pseudo load-balancing between the two pairs or is it possible to use the Load Balancing feature in the ASA for Remote Access VPN?

How did you configure your clients to go after one or the other ASA Clusters?

Thanks,

PNI-ITRNP

Jan Rolny · ‎05-31-2013

Hello,

my clients are connecting directly to first or second IP/hostname. I have no loadbalance implemmented for ASA VPN access.

Round robin DNs would be nice solution in case you do not want let clients to select specific IP/Hostname. But finally it does not matter because they will have access from both locations to all inside LAN.

Also you could save money with pair of ASA. There are two loactions. If one ASA would go down so another ASA in second location is still accessible.

Best regards,

Jan

PNI-ITRNP · ‎05-31-2013

OK, thanks for the clarification.

Yeah, we have two ASA HA Pairs (four firewalls total, two (HA) each ISP), so you could say we have redundancy for our redundant ASA Pairs.

Thanks.