02-09-2021 02:36 PM
Hello,
I have two locations. Both locations have an ASA and an internet connection and are connected via VPN. They're also connected with an MPLS connection as a backup connection to the VPN. If internet drops at one site, I can still reach the internet through the MPLS and out the other site's internet connection.
Each site is connected to a 3rd party vendor via IPSec VPN. I want this to be fully redundant as well, and it's been suggested that I setup two VPNs at each site to the 3rd party vendor. So four VPNs.
1. Site 1 to Vendor for Site 1 to Vendor traffic.
2. Site 1 to Vendor for Site 2 to Vendor traffic. (This would be a backup if Site 2's internet went down)
3. Site 2 to Vendor for Site 2 to Vendor traffic.
4. Site 2 to Vendor for Site 1 to Vendor traffic. (This would be a backup if Site 1's internet went down)
I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP? If so, how? If not, does anyone have any ideas of how this should be made redundant?
Thanks!
Andy
Solved! Go to Solution.
02-09-2021 03:16 PM
I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP?
No, i guess here, VPN Address required to be attached to the interface to work VPN.
02-09-2021 04:00 PM
You will have to use the external interface IP address as the source of both of your VPN tunnels at both sites. The only way around this that I can see would be if you had a second ISP for which you would have a second external interface IP address with them. This obviously could get expensive and the way that you're currently doing it looks really good in terms of being able to utilize the Internet of the far side if your local ISP fails for any reason.
02-09-2021 03:16 PM
I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP?
No, i guess here, VPN Address required to be attached to the interface to work VPN.
02-09-2021 04:00 PM
You will have to use the external interface IP address as the source of both of your VPN tunnels at both sites. The only way around this that I can see would be if you had a second ISP for which you would have a second external interface IP address with them. This obviously could get expensive and the way that you're currently doing it looks really good in terms of being able to utilize the Internet of the far side if your local ISP fails for any reason.
02-09-2021 04:47 PM
Thanks guys. You each answered one of my questions. One is that it's not possible. And two that the secondary internet connection would be the only way to do that. I'll discuss the options with my client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide