Both ISPs have their own DNS servers, which can only be adressed by using their ip addresses. At the moment I deploy the DNS servers by DHCP to my clients for the main line. If I change the static route to the backup-line, the DNS service of the clients fails.
Is there any way to deploy the DNS based upon the active route? I am quite sure that I am not the only one that has that problem, but I cant find an answer... Using Googles DNS servers is also not an attractive option for me.
Further there is problem with my IPSec VPN interface. The primary line has a dynamic ip address, while the backup line has a static ip address. My ASA only responds to the VPN connection on the active route (lowest metric). Is there a way to tell ASA to accept VPN on both connections?
I don't think I can give a really specific answer to this but to my understanding there is no real way to modify the DNS servers the DHCP server provides to the clients. There is a command for DHCP WAN interfaces that automatically applies the DNS servers the ASA gets with DHCP to the actual DHCP service that the ASA provides for the clients. But I am not sure if this will really work with 2 different WAN interfaces not to mention that you have the other WAN interface staticly configured and not using DHCP.
I am wondering if the solution would be to have an internal DNS server that would query information through both WAN links. I am not sure if this is possible since I really dont know much about the IT/Server side.
With regards to your VPN related problem I think it boils down to the fact that this is "to the box" traffic so the ASA passes the return traffic through the interface that holds the default route and therefore VPN connections through the secondary WAN link wont work.
Again as a solution I can only think of a solution that really would not be ideal. And that is if you could have a NAT capable device in front of the ASA on the secondary WAN link and PAT the VPN related traffic before it reaches the ASA (from the Internet) then the ASA would be able to forward the return traffic towards that PAT address.
The PAT address could either be from the link network between ASA and the device in front of it (on secondary WAN link) or if the PAT address was not from that network it could be routed on the ASA towards the secondary WAN link. This way you would not require a default route on the secondary WAN link also, just the static route for the single PAT address from where the ASA sees the VPN connections coming from.
I don't think so you can have such setup based on the active route. You can have the primary DNS server pointed through ISP1 and then the secondary through ISP2. So in case if a link fails secondary DNS will take care of the connections.
For your problem 2:
In RA VPN case you cannot do much on the same. Because your source traffic can be any and the return response follows the default path....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...