Recommended hardware for site-2-site connection with dual ISPs on each site

zentner · ‎10-24-2007

Hello!

Can anyone give me a hint what hardware and technology has to be used to set up a connection from a central site to a remote site. On both sites there are two different ISPs with different bandwidths and reliability. Therefore loadbalancing should be achieved regarding the tunnels. Other features which are requested are:

- policy based routing for users on central site (group 1 should use ISP one and group 2 should use the other one with fallback if one the ISPs fails)

- terminating of remote access VPNs on the central site (possible on both ISP connections)

- the remote site should have direct internet access by split tunneling

- a DMZ interface for future use on the central site should also be provided

The customer already has a ASA5510 but not configured yet. Can this device be used for the setup in such way?

Any feedback is appreciated.

Kind regards!

sadbulali · ‎10-30-2007

If you are going to add an E3 connection to an ISP, the router recommendation will obviously change to a 7200. There are many options for load balancing methods utilizing BGP for a dual-connectivity setup, so we may want to go through these when the time comes. We can use BGP metrics to force user traffic out a different link than the Web Banking traffic, such as AS path prepending.

Massimo Baschieri · ‎10-30-2007

You can use asa's for frontend ipsec tunneling between sites and 2800/3800 series routers for backend gre tunneling.

Asa's can also take care of vpn client access and even firewalling services.

This way you can enjoy the strong security of the asas and the great flexibility of ios.

Bye,

Max.