[c-nsp] Dynamic IP VPN clients on a dual-ISP ASA 5505

Jan Gregor jan.gregor at chronix.org
Fri Feb 26 06:18:59 EST 2010


from what they tell you, I suspect that they sugest that you should
statically route ip adresses of one group of clients (that's the reason
why static ip adresses - you need to define them).
The feature you are looking for should be acompished with policy based
routing, but this is not supported by ASA device, we do it with IOS
based router. Also you will probably do need traffic clasification to be
used later inside PBR, this can't be done by asa either :) .
So to conclude, it is doable, but you need one device between ASA and
the internet to do the PBR and one device between ASA and the HQ LAN to
do the markings (or maybe you have such device there). If this solution
is better than buiyng static ip adresses is entirely up to you :).

Best regards,


Frank Bulk wrote:
> We have a customer that recently added a second ISP uplink to their ASA 5505
> at the hub (headquarters) and would like to migrate some of their spokes
> (IPSec) sites to terminate on the new uplink at the hub.  Secondly, they
> would like the new uplink to be their hub's primary internet link (using
> PAT).
> Their spokes are predominately using SOHO gear on different ISP services
> that have dynamic IP addresses, and behind each spoke is a unique private
> subnet.
> What Cisco is telling us that if we want to use dual-ISP interfaces that the
> spokes cannot use a dynamic WAN IP addresses.  If the spokes have static WAN
> IP address it will work -- something with how the VPN session gets setup and
> the fact that the default router is for the new uplink, we're told.  But the
> client wants to avoid the $10/month charge for a static for each spoke, if
> at all possible.
> With all the knobs and buttons that the ASA has, I find this a little
> surprising.  Does anyone have a similar setup for which they would be
> willing to share a configuration snippet?
> Here's an abbreviated configuration:
>           headquarters
>          192.168.x.0/24
>                 |
>             ASA 5505
>              /    \
>           ISP #1  ISP #2
>             |      |
>             INTERNET
>              |    | 
>              |    |
>     dynamic IP    dynamic IP
>       Remote A    Remote B
> 192.168.a.0/24    192.168.b.0/24
> A bonus would be if HQ could automatically fail over to the other ISP link,
> Thanks in advance for any assistance.
> Regards,
> Frank Bulk
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100226/3989faed/attachment.bin>

More information about the cisco-nsp mailing list