Unanswered Question
Sep 22nd, 2009
User Badges:

Hi all,

I am trying to put in place an ASA to terminate VPN sessions for my users in an EIGRP environment. Do I have to put a router in front of the ASA or does the ASA supports EIGRP routing ?

Also,instead of using an ASA, can I just use a router/VPN (250 VPN sessions) to replace the ASA ? which model can I use then ?

what is the best implementation ?

Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
francisco_1 Tue, 09/22/2009 - 03:10
User Badges:
  • Gold, 750 points or more

The Cisco ASA's can run EIRGP - Maintain full routing table and also a VPN concentrator.

See http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008086ebd2.shtml

The ASA is capable of doing what you want but you might have to go for higher models to get more through-put


Can you give us more info on what you are trying to accomplish?

coletemple Tue, 09/22/2009 - 06:34
User Badges:

Thanks Francisco.

Basically, I am helping in the design of a bank network which consist of a HQ, branches accessing HQ to update some informations and a Back up site which is supposed to automatically take over in case of a HQ link failure.

Bank users (branches) basically connect to the HQ through a VPN client (SSL or VPN)and land to the ASA at the HQ.

A failover policy is put in place so when there a problem with the link to the HQ, back up link must take over and because of EIGRP running, all the users (in the branches) should be transparently redirected to the Back Up site (how to implement this in the VPN SSL client ???).

-That explains why I am running EIGRP but I am still thinking about a way to fix the automatic failover.

-Do you have any hints where I might find some config and designs architecture of this kind ?

Any idea will be much appreciated!

francisco_1 Tue, 09/22/2009 - 07:13
User Badges:
  • Gold, 750 points or more

How will your failover work? say from a branch you have a dedicated link to the HQ site acting as the primary link. will you have another link from that branch as well as a backup going to the HQ as well. so from a single branch you have 2 links, one active and the other standby? or are the braches in a full mesh topolgy?

With the ASA's you can have SSL VPN active/standby failover scenario. for example banks users connecting to HQ site via SSL vpn will connect to the active ASA and then have a standby ASA to failover to.

To help you better do you have a design diagram?


coletemple Tue, 09/22/2009 - 07:37
User Badges:

yes, you're right. There is a back up link to the back up site where the users get connected in case of a link failure.

I need to have a way to perform this failover on the VPN soft client from the branch side.The 2 links will be in an active/standby mode.

I have just started to look for a solution to implement this and the network diagram, to be honest, is still fuzzy in my head. I hope i could find an implementation of this already been done somewhere and will have to look into the equipments.


This Discussion