Interesting thought, but it requires that the loopback address be accessible via either ISP, which isn't an option I have in this case. I need to do it with two separate IP addresses.

Thanks,

Bob

Your option will work BUT you will experience a brief outage. 

With my recommendation, there will be NO outage because as long as the loopback interface of the router at site B is reachable, the VPN will never go down.

I really don't understand why people keep using ASA for site-to-site VPN termination.  The ASA is NOT designed for that kind of thing.  Cisco IOS is.

Hello David,

Agree with you!

I was just pointing a different option.

Now regarding the second statement

"The ASA is NOT designed for that kind of thing.  Cisco IOS is." I disagree on that, I think the ASA is good on many things! One of them the VPN and that's for sure.

Regards,

"ASA is good on many things! One of them the VPN and that's for sure."

Here is a list of what ASA can not do, just to name a few:

-terminate both GRE/IPSec on the ASA (mutocast over the VPN tunnel)

-DMVPN (spoke to spoke over the VPN, multicast, etc)

-getVPN (stateless VPN)

-VTI,

-very complex VPN scenarios

Now tell me one thing about VPN that ASA can do but IOS can not

See my reply from earlier today. :-) I, for one, certainly agree with you that IOS can do more. But is there a solution to the NAT problem I described? (See https://supportforums.cisco.com/thread/2172082 and https://supportforums.cisco.com/message/3749650#3749650) If the IOS device is both a VPN endpoint and a firewall and you have overlapping addresses on the private lans you are apparently screwed. Unless there is an answer that I have been unable to find, of course... :-)

Regards,

Bob

I am sure there is a work around for this.  However, I am working for "free" so I am not putting in too much time about this issue at the moment because I don't have a requirements for it yet.

Why don't you open a TAC with Cisco?  That's what support is for right?

Hello David,

Just by saying the troubleshooting options the ASA provide you to any feature (including VPN) makes it a top option for VPN purposes.

The flexibility that the ASA provides you,etc.

Ok, name a specific utilities that ASA provided that Cisco IOS can not?

You realized that Cisco IOS also has Embeded Capture Packet (ECP) module as well right?

so educate me on a troubleshooting tool where ASA is superior over Cisco IOS

by you saying "The flexibility that the ASA provides you,etc"  ASA can not do

-terminate both GRE/IPSec on the ASA (mutocast over the VPN tunnel)

-DMVPN (spoke to spoke over the VPN, multicast, etc)

-getVPN (stateless VPN)

-VTI,

-very complex VPN scenarios

Is that what you called flexibility?  Am I missing something?

Hello David,

ECP.. Of course I know what that is, but let me tell you the packet capture on the ASA is way more easy to use ( Way more flexible to check it, to download it, to build it ).

The ASP capture of the ASA Another point to the ASA.

And finally the allmigthy Packet-tracer of the ASA   I would give 10 points for that.

Anyway.. nice debate but is Friday night and I hope you 2 have a wonderful weekend as I will.

Regards,

OK, good to know that ASA-to-IOS should work with two addresses at the IOS end. Other documents I have read say it works only when talking to another ASA. I guess I have to test it...

One problem with IOS and site-to-site VPN's... If you're using the IOS router as both your VPN endpoint and your internet access firewall AND you have an IP address overlap with the remote VPN end, there appears to be no way to get IOS to "static network" NAT only the VPN traffic and PAT/overload the internet traffic. With ASA it is easy. See these threads:

https://supportforums.cisco.com/thread/2172082

https://supportforums.cisco.com/message/3749650#3749650

Regards,

Bob

Unfortunately I have not had an opportunity to try it, though I should in the next few weeks. All I can say at this point is that after my last post to this thread I opened a ticket with Cisco and asked the same question. The engineer assured me that ASA-to-IOS VPN with multiple ISP's at the IOS end will work. That's all I've got at this point. Sorry for not having more info...

Please post if you find out anything more. :-)

Regards,

Bob