Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
4
Replies

EIGRP and ASA

coletemple
Level 1
Level 1

‎09-22-2009 03:08 AM - edited ‎03-11-2019 09:18 AM

Hi all,

I am trying to put in place an ASA to terminate VPN sessions for my users in an EIGRP environment. Do I have to put a router in front of the ASA or does the ASA supports EIGRP routing ?

Also,instead of using an ASA, can I just use a router/VPN (250 VPN sessions) to replace the ASA ? which model can I use then ?

what is the best implementation ?

Thanks for your help.

Labels:
0 Helpful
4 Replies 4

francisco_1
Level 7
Level 7

‎09-22-2009 03:10 AM

The Cisco ASA's can run EIRGP - Maintain full routing table and also a VPN concentrator.

See http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008086ebd2.shtml

The ASA is capable of doing what you want but you might have to go for higher models to get more through-put

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Can you give us more info on what you are trying to accomplish?

0 Helpful

coletemple
Level 1
Level 1
In response to francisco_1

‎09-22-2009 06:34 AM

Thanks Francisco.

Basically, I am helping in the design of a bank network which consist of a HQ, branches accessing HQ to update some informations and a Back up site which is supposed to automatically take over in case of a HQ link failure.

Bank users (branches) basically connect to the HQ through a VPN client (SSL or VPN)and land to the ASA at the HQ.

A failover policy is put in place so when there a problem with the link to the HQ, back up link must take over and because of EIGRP running, all the users (in the branches) should be transparently redirected to the Back Up site (how to implement this in the VPN SSL client ???).

-That explains why I am running EIGRP but I am still thinking about a way to fix the automatic failover.

-Do you have any hints where I might find some config and designs architecture of this kind ?

Any idea will be much appreciated!

Preview file
40 KB
0 Helpful

francisco_1
Level 7
Level 7
In response to coletemple

‎09-22-2009 07:13 AM

How will your failover work? say from a branch you have a dedicated link to the HQ site acting as the primary link. will you have another link from that branch as well as a backup going to the HQ as well. so from a single branch you have 2 links, one active and the other standby? or are the braches in a full mesh topolgy?

With the ASA's you can have SSL VPN active/standby failover scenario. for example banks users connecting to HQ site via SSL vpn will connect to the active ASA and then have a standby ASA to failover to.

To help you better do you have a design diagram?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

0 Helpful

coletemple
Level 1
Level 1
In response to francisco_1

‎09-22-2009 07:37 AM

yes, you're right. There is a back up link to the back up site where the users get connected in case of a link failure.

I need to have a way to perform this failover on the VPN soft client from the branch side.The 2 links will be in an active/standby mode.

I have just started to look for a solution to implement this and the network diagram, to be honest, is still fuzzy in my head. I hope i could find an implementation of this already been done somewhere and will have to look into the equipments.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card