Redundancy with ASA /VPN solution recomendations

Unanswered Question
Aug 13th, 2008

Hi All,

One of my cleint has Ethernet handoff for interent with /26 public space (using .1 for the ISP core) assigned from ISP. Client has

-->Activ/Stdby ASAs on edge connected to External switch and the ISP handoff also on the same switch and everything works perfect.

--> Facility also has Citrix servers regested with ISP assigned (public) IPs

--> ASA got procuction VPN tunnels (L2L) terminating and is also a backup RA VPN box

Now, we want to add redundancy here by bringing in another ISP. Current ISP cannot extend existing /26 --> /24 (so that we can use BGP) as they have been used by other customers. I can use another ISP for going to internet with tracking feture configured on ASA, but is there any way to do the redundancy for VPN peers & Citrx servers regestered with ISP1 public IPs...?

Thank you all in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Marwan ALshawi Wed, 08/13/2008 - 19:34

best redundancy is do be don is though routing protocols and then u influcing path selction

if u have a simple drwaing for ur topology will be mroe helpful to find alternatives

mvsheik123 Thu, 08/14/2008 - 06:19


Thank you. Please see the attached Diagram. Please be noted that...

1. Both core swithces acting as OSPF ABR

ASBR but pointing to ASAs with static


2. ASA also has OSPF enabled and acting as


Thnak you in advance


Marwan ALshawi Thu, 08/14/2008 - 06:29


now what u want to be achived exactly?

and the new isp connection will terminat on the same gateway u have now ?

mvsheik123 Thu, 08/14/2008 - 08:01

The current gateway (.1) is ISPs MPLS core, so client has no control over it. What cleint wants is to bring a new ISP in and (no issues if need to buy new gear) and make sure the internet/vpn & citrix access from internet will be available/failover to second ISP, incase the existing ISP goes down.

Thank you


Marwan ALshawi Thu, 08/14/2008 - 21:21

now based on ur topology evry thing is working fine

what i sugest after u add the new gaetway jus get an addetional connection from each fireall and mke the proper nating whatever u want o n the new gateway

in this case u wiil have it as backup without changing ur current network


useres who login in remotrlyand vpn

u need to provide them with

for vpn remote access just add the new ip of the vpn thorugh the new gateway on the back section in the vpn clients

for site to site vpn

in the remote sites u need to creat addestion crypto map lets say the remote peer has

crypto map maps 10

u need to add a map with same name but higher sequence number


crypto map map1 20

and the peer in this second map is the new ip trough the new gateway

and good luck

please, if helpful rate

mvsheik123 Fri, 08/15/2008 - 06:06

Sounds good. So, at the main location, I don't need to do any changes for 'crypto' statements. But I still need to create the ACLs for the new backup interface which is replica of current outside that correct..?

Now, per the design the DMZ is also connected to external switch (Vlan'ed). There are couple of servers on the DMZ. I would like to move them to dedicated switches on DMZ and still provide redundancy via ASAs. Will adding 2 diff DMZ switches on ASAs and connecting the each NIC (Teaming) on the servers to each switch helps it..?

Thank you



This Discussion