cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
9
Replies

Binding two ISPs on ASA for Remote Client on VPN to connect on instead of creating two profile on remote client

rammany19
Level 1
Level 1

Hello,

just a quick one,

TOPOLOGY

ASA ISP1---------197.1.1.1-----------outside

ASA ISP2---------196.1.1.1-----------backup

LAN IP-------------192.168.202.100---inside

i have configured Tunnel on both (outside and backup) interfaces but is thare a way to bind the two public legs to serve as one as a redundancy for vpn users and let vpn tunnel users point to the inside IP whenever they want to establish vpn sssion, we want it to be one so if one interface fails vpn users will not know but it will try the second for connection. instead of creating profile for the two outside leg on vpn client.

is it possible?

2 Accepted Solutions

Accepted Solutions

Hi Rammany.

In your case you have only one ASA which connects with 2 ISP in a different IP segment... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your requirement is that you want to have the VPN client that needs to be accessed with backup. If 196.x.x.x link fails it should automatically take 197.x.x.x link. That too we should not have the backup server config defined in the VPN client. You don have option to have active standby also in single asa.

I don think so this will work with your present design.

Only option is if your VPN client supports hostname resolution (DNS). You can have the VPN created for both the public IP's sharing the same hostname by keeping link 1 as primary address and link 2 has the secondary address. This alone will work.

Hope someother experts in our forum may help you with that.

View solution in original post

Once you create a vpn profile in the cisco vpn client for you.... pcf will be created in the profiles folder.

go through connection entries --> import ---> profiles ---> .pcf files.... from there you can copy

or

C:\Program Files\Cisco Systems\VPN Client\Profiles you can copy the concern pcf file and share it to the users. It will have the complete configuration except the user credential that has to be given by the users.

Please do rating if the given info helps.

View solution in original post

9 Replies 9

mvsheik123
Level 7
Level 7

Hi,

Are you talking about IPSec vpn client? If so, you can set the second ASA public IP in the backup servers list in the client(make sure group name, Key and other security parameters same on both ASAs for users to log in). That should work.

hth

MS

Hi,

we want is "Redundancy for cisco vpn client as fail-over thing" when vpn user establish a connection, the connection try to access which public IP is available and it switches without the knowledge of vpn users. so if one ISPs is down, user can still establish with the second ISPs without the user knowledge. *****failover*****

i dont know where this will be apply, headend or the client?

You can configure your vpn client with backup servers tab or you if your vpn supports DNS resolution for peer ip... then you can have the vpn name instead of IP address for getting that.... since your both the firewalls are acting as standalone i guess in your scenario.....

Hello

i have three interfaces on my ASA 5520 box (inside, outside and backup) meaning two ISPs and one LAN, i have configured ipsec remote vpn on "backup interface but i have not enable vpn on public interface am using 8.3 IOS. i am thinking do i need to create another vpn on the public with the same "groupname" and "preshared" on the outside leg? if i do so its complaining that i already have one setup for the backup interfaces.

please, i need advise here on how to achieve to achive failover for vpn users on two different ISPs on an ASA 5520 with 8.3 IOS.

need solution quickly ASAP.

Thanks in advance

Hi Rammany.

In your case you have only one ASA which connects with 2 ISP in a different IP segment... 196.x.x.x (Link1) & 197.x.x.x (Link2). What your requirement is that you want to have the VPN client that needs to be accessed with backup. If 196.x.x.x link fails it should automatically take 197.x.x.x link. That too we should not have the backup server config defined in the VPN client. You don have option to have active standby also in single asa.

I don think so this will work with your present design.

Only option is if your VPN client supports hostname resolution (DNS). You can have the VPN created for both the public IP's sharing the same hostname by keeping link 1 as primary address and link 2 has the secondary address. This alone will work.

Hope someother experts in our forum may help you with that.

Hello

i think the option to make VPN clients to support resolution (DNS) is good then, if that will solve the problem.

Please, can you direct me to how i will make VPN client to support DNS resolution?

please, i will appreciate if you give me link on how to make it or you paste it here.

Thanks

Hi Rammany,

almost all the VPN clients supports DNS resolution. You can do it with the cisco VPN client as the most VPN we use.

Instead of giving the IP address in the host.... give the hostname which is registered in public dns. It should work....

Else also you have an option in cisco vpn for backup servers. that you can use with ip address itself. primary ip address in main tab. the secondary ip addresses in backup server by adding it. It will dial if the primary is down.

You can have the pcf file created and shared to the users. So that you can avoid the confusions.

Please do rate if the given info helps.

Hello Karthikeyan,

Thanks, but how do i create the pcf file as you mentioned above, i think i will stick to this but need to know how to create this pcf files.

Thanks

Once you create a vpn profile in the cisco vpn client for you.... pcf will be created in the profiles folder.

go through connection entries --> import ---> profiles ---> .pcf files.... from there you can copy

or

C:\Program Files\Cisco Systems\VPN Client\Profiles you can copy the concern pcf file and share it to the users. It will have the complete configuration except the user credential that has to be given by the users.

Please do rating if the given info helps.