Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
1
Replies

Configure 3 ISPs on 1 router and run site to site VPN

femi.agboade
Level 1
Level 1

‎10-16-2014 10:40 AM

Hello,

I have an existing setup as follows:

HO ASA is directly connected to ISP1 running peer-to-peer VPN with 5 remote sites also having ASAs as endpoints terminating the VPN tunnels. Note that the ISPs at the different remote locations are all different so the peer-to-peer VPN is actually run over the internet. 

Because client experiences downtime from ISP1 at HO they went ahead to get 2 new ISPs making 3. A router with additional interface card has been purchased and client wants to configure all 3 ISPs on the HO router in a manner to provide failover from one ISP to the other when there is an issue with the former. VPN traffic between the HO and the sites are what passes through these physical and logical connections.

Task now is to configure the new HO Router with the 3 ISPs such that when ISP1 fails, ISP2 picks up routing traffic. HO ASA will remain in the picture and will maintain its primary function of managing all VPN related traffic between the HO LAN and remote site LAN. Remote site ASAs need to be configured in such a way that they can track when ISP1 at HO is down and accept or initiate VPN traffic from/to the HO via ISP2. I have attached a sketch of what the network topology must look like after the setup is complete.

I have spent some time trying to introduce BGP but the client does not have its own range of public IPs and AS number, so that has been put on ice.

I have also considered DMVPN, but this also is a problem because all the end point devices at the remote sites are all ASA devices.

So i am now stuck and really lost of what next to do. Would appreciate any advice and probably sample configs that can help.

Regards,

Femi

Labels:
Preview file
501 KB
0 Helpful
1 Reply 1

femi.agboade
Level 1
Level 1

‎10-17-2014 11:36 AM

Hello,

So i have the following config for the HO Router, a little something i think for the HO ASA, but not a clue on what to do on the remote ASA to allow it monitor all three HO ISPs and know when to route traffic through a working ISP, any ideas please?

:

HO ROUTER

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO_Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
no ip dhcp use vrf connected
!
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
!
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
!

!
crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac 
 mode transport
!
!
crypto keyring ISP1  
  pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey1 
crypto keyring ISP2  
  pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey2 
crypto keyring ISP3  
  pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey3 
!
!
!
!
crypto isakmp profile ISP1
   keyring ISP1
   match identity address 0.0.0.0 
!
!  
crypto isakmp profile ISP2
   keyring ISP2
   match identity address 0.0.0.0 
!
!
!  
crypto isakmp profile ISP3
   keyring ISP3
   match identity address 0.0.0.0 
!
!
!
!
crypto ipsec profile IpsecProf1
 set transform-set AES256SHA 
 set isakmp-profile ISP1
!
!
crypto ipsec profile IpsecProf2
 set transform-set AES256SHA 
 set isakmp-profile ISP2
!
!
crypto ipsec profile IpsecProf3
 set transform-set AES256SHA 
 set isakmp-profile ISP3
!
!
!
!
!
interface Tunnel1
 bandwidth 2000
 ip address 172.16.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication nhrpauth
 ip nhrp map multicast dynamic
 ip nhrp network-id 53
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 delay 100
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile IpsecProf1
!
interface Tunnel2
 bandwidth 2000
 ip address 172.16.20.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication nhrpaut2
 ip nhrp map multicast dynamic
 ip nhrp network-id 54
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 delay 100
 tunnel source GigabitEthernet0/2
 tunnel mode gre multipoint
 tunnel key 2
 tunnel protection ipsec profile IpsecProf2
!
interface Tunnel3
 bandwidth 2000
 ip address 172.16.30.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication nhrpaut3
 ip nhrp map multicast dynamic
 ip nhrp network-id 55
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 ip ospf 1 area 0
 delay 100
 tunnel source FastEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 3
 tunnel protection ipsec profile IpsecProf3
!
!
!
!
interface GigabitEthernet0/0
 desc To ASA
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip ospf 1 area 0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
 duplex auto
 speed auto
!
!
interface GigabitEthernet0/1
 desc ISP1
 ip address a.a.a.2 255.255.255.254
  ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
interface GigabitEthernet0/2
 desc ISP2
 ip address b.b.b.2 255.255.255.254
  ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
interface FastEthernet0/0/0
 desc ISP3
 ip address c.c.c.2 255.255.255.254
  ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
router ospf 1
 default-information originate always

!
ip nat inside source route-map EXIT_ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map EXIT_ISP2 interface GigabitEthernet0/2 overload
ip nat inside source route-map EXIT_ISP3 interface FastEthernet0/0/0 overload
ip forward-protocol nd
ip classless
!
!
ip sla responder
!
!
ip sla 1
 icmp-echo a.a.a.1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo b.b.b.1
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo c.c.c.1
ip sla schedule 3 life forever start-time now
!
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
track 30 ip sla 3 reachability
 delay down 1 up 1
!
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 a.a.a.1 track 10
ip route 0.0.0.0 0.0.0.0 b.b.b.1 track 20
ip route 0.0.0.0 0.0.0.0 c.c.c.1 track 30
ip route 172.16.10.0 255.255.255.0 a.a.a.1
ip route 172.16.20.0 255.255.255.0 b.b.b.1
ip route 172.16.30.0 255.255.255.0 c.c.c.1
!
!
!
!
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
!
route-map EXIT_ISP1 permit 10
 match ip address 110
 match interface GigabitEthernet0/1
!
route-map EXIT_ISP2 permit 10
 match ip address 110
 match interface GigabitEthernet0/2
!
route-map EXIT_ISP3 permit 10
 match ip address 110
 match interface FastEthernet0/0/0
!
!
!
!
!
control-pane
!
!
line con 0
line aux 0
line vty 0 4
 login    
!
end


**************************************************************************************

HO ASA

interface GigabitEthernet0/0
 ip address 10.0.1.2 255.255.255.0
 nameif outside
 security-level 0

 ospf authentication message-digest
 ospf message-digest-key 1 md5 cisco123
 speed auto
 duplex auto
!
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 nameif inside
 security-level 100

 ospf authentication message-digest
 ospf message-digest-key 1 md5 cisco123
 speed auto
 duplex auto
!
!
router ospf 1
 network 10.0.1.0 255.255.255.0 area 0 
 network 192.168.0.1 255.255.255.0 area 0 
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
!
ip forward-protocol nd
access-group OUTSIDE-IN in interface outside
!
!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents