Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
3
Replies

Design : Dual ISP connectivity for VPN dedundancy on PIX or ASA ver 7.0.4

gkumar1979
Level 1
Level 1

‎01-11-2006 06:10 AM - edited ‎02-21-2020 02:11 PM

I have 2 Different ISP links on whihc I need to run VPN and want the links to be in redundancy. Limitation are there but any design work around that you people can suggest.

Labels:
0 Helpful
3 Replies 3

mheusinger
Level 10
Level 10

‎01-11-2006 05:21 PM

Hello,

network design means also to pay attention to any restriction/limitation. Can you shed some light on the topology you have, the equipment involved and the "limitations" mentioned?

Thanks in advance

Martin

0 Helpful

gkumar1979
Level 1
Level 1
In response to mheusinger

‎01-12-2006 03:33 AM

Dear Martin,

Thanks for your response. I have PIX with 7.0.4 version and 2 ISP links.I have VPN connectivity between 2 offices over IPSEC.My US office is stable but India end links fluctuate so in India I have 2 ISP and required to make them redundant. Previously I have one ISP link so it was working fine.

But now with 2-ISP I can't understand the design how to load balace VPN on that.

If you required any other info. plz reight back to me.

Thanks

Gaurav

0 Helpful

johansens
Level 4
Level 4
In response to gkumar1979

‎01-12-2006 02:31 PM

Hi there,

For this to work, you'll need more equipment in the design (the PIX itself can't have two default gateways):

Option A)

1) Put in another PIX on ISP link #2

2) Enable OSPF routing over the IPsec links

link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

3) Let your internal LAN router on the India-side talk OSPF with the PIX'es as well. If you don't have a LAN-router, you'll need another interface on the PIX'es to allow for forwarding the packets to the other PIX. Or juts inside&outside on the extra PIX, while you add another interface on the old one.. or the other way around.. you choose. :)

Option B)

1) Put a router in front of the PIX and let the ISP connections go to this router.

2) Do some bidirectional NAT'ing on the router to let the connections be 'stateful'

link: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dda293f/3#selected_message

Did it help? If so, please rate it.

0 Helpful
Customers Also Viewed These Support Documents