2 WAN links/1 default gateway-ASA Design Best Practice?

Unanswered Question
Dec 7th, 2009

Hi Community,

hoping you can help here. We currently have an ASA in place with a single outside interface (public ip address) used for our Site-to-Site VPNs, our Dynamic VPN Clients, our publicly reachable servers and, of course, our outgoing traffic. This outside interface has a default route to our gateway router which connects up to the ISP.

Due to congestion issues (internet traffic slowing our Site-to-Site VPN traffic) we ordered a VDSL link from our ISP (as a PPPoE interface with a dynamic address). We would like to use this link for all our internet traffic, while keeping our VPN traffic on the slower speed, staticly addressed link.  Initially we configured the new VDSL link on an ASA interface, using the PPPoE 'setroute' option to install a default route into the ASA with the next hop provided by the ISP.  We then created static routes to our gateway router for the remote endpoints of our Site-to-Site VPN tunnels.  We were very pleased with our improved access to the remote sites as well as our speedy new internet connection....and then...

We found our dynamic VPN connections broken - of course - as they were using the staticly addressed interface for their tunnel endpoint but the return traffic was going out VDSL interface to the default gateway.  The same problem held true for our externably available resources - requests came down the staticly addressed link and responses went out the VDSL link. Traffic behaviour as expected if not as desired

So now we are seeking a solution and have come up with the following bright ideas:

1) keep the router on the WAN side of the ASA and attach the VDSL link there, using it as before as the default gateway for outgoing traffic.  This would result in all inbound VPN traffic reaching the ASA on its single, outside interface which would keep the publicly reachable static addresses.  However we would have to do some sort of NAT or source routing for dynamic VPN traffic. The more i think about this option the less it looks like a solution.

2) keep everything in the ASA (this is our 'preferred path') but somehow arrange for source routing, or session establishment parameters, to allow us to send traffic out the interface it arrived on. So that if traffic arrived on the VPN, or publicly addressed interface, responses would be send back out that same interface.

a cursory examination of the ASA material has not yielded the information so while i continue searching i thought i'd pose the question to the community as i am certain someone has seen this sort of set up before.

thanks in advance,

William

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 12/07/2009 - 13:08

William-

What you want to do is Policy Based Routing. Not the prettiest thing in the world, but it works. Unfortunately it's not supported on the ASA (yet), so your only PBR option is on the router. You can search CCO for policy based routing or PBR for more info.

Hope it helps.

wpinberlin Tue, 12/08/2009 - 00:41

Thanks Collin,

so that would mean doing PBR on the WAN side router to direct the desired traffic out the fixed 2Mb link, and then doing NAT on the VDSL link for the rest of the traffic such that it has the source address of the PPPoE interface. Otherwise we will end up once again with all the response traffic clogging up the 2Mb link on its way back, as that is how the provider will be routing traffic down to our publicly addressed interfaces. It seems like it should work, or am i overlooking some crucial detail?

cheers,

William

Actions

This Discussion