cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1684
Views
0
Helpful
6
Replies

VPN spanned over two WAN connections on Cisco ASA?

gareth_r52
Level 1
Level 1

Hello,

I have a quick question for you guys, as I'm not too sure if you can do this.

Basically, we are connecting two offices together and need higher bandwidth between the sites over VPN. The main site has a leased line and the remote site has an SDSL connection with a secondary ADSL line with a different provider, set in failover mode.

There is a Cisco ASA 5520 at main branch and 5510 at remote, with a site-to-site VPN between sites.  Is it possible to use the failover line to increase our bandwidth over the site-to-site VPN? What I mean by this, is create a VPN link combined over the two WANs?

Draytek have a feature on their 2930 series that allows you to do this called VPN Trunk/Bonding. I was wondering if this is possible on the Cisco ASA? If not, is there anyway I could achive this with any additional hardware? I don't want to use the Draytek for the mainsite, obviously because the load would probably kill it but I'm not against using this at the remote site infront of the ASA.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

There's no ASA feature that does what you're asking, AFAIK.

Depending on your traffic profile, you might be able to hack a solution by creating two site-site VPNs (one via SDSL and the oher via the ADSL) and applying the cryptomap for some traffic to the one and the rest of the traffic to the other one.

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

There's no ASA feature that does what you're asking, AFAIK.

Depending on your traffic profile, you might be able to hack a solution by creating two site-site VPNs (one via SDSL and the oher via the ADSL) and applying the cryptomap for some traffic to the one and the rest of the traffic to the other one.

Thats what I thought, the only way I can see it working is if I got the draytek to create the tunnels and then have the ASA sit behind it as a firewall. Not sure if the Draytek requires another Draytek on the other site though.

Thanks for confirming this. Shame the ASA's don't support a little more really, one of the other things I miss for a smaller office is the DNS proxy/cache which can be found on IOS devices.

Hi Marvin,

Is it possible to use ECMP for this?

Regards

Vaibhav

Nice thought but ECMP is not spported across multiple interfaces.

Source:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/115986-asa-eqm-products-configuration-example.html

Hi Marvin,

I just read somewhere 

Starting with Asa 9.3.2 Asa supports 8 ecmp routes over multiple interfaces using zones

Good catch - you might be able to get that to work.

Let us know how it works out if you get an opportunity to try it.