Hi, I have Two ASA Fw and two different ISP leased lines. Now I want to create VPN tunnel site to site with DC and it will work. Its fine. Now I want to use both ASA and both ISP lines will be use for both ASA boxes and I will create the Tunnel. Now if I connect my inside network with both firewall then will it work? I want load balancing between ISP links and load Balancing of VPN tunnel. The configuration is in below:-
FW 1 outside interface 126.96.36.199/24
FW 1 Inside Interface 192.168.12.1/24
FW 2 Outside interface 188.8.131.52/24
FW 2 Inside Interface 192.168.12.2
Now if I assign the gateway 192.168.12.1 on client machines then traffic moves from FW1 and if I use 192.168.12.2 then traffic will move from second Fw. Now I want the traffic will use both interface and 50-50 % traffic could divert. Is it possible then please tell us what shd i do? Will it be work if I install one router between local lan and FW. Thanks.
No I m not using Failover. Let me clear my setup again. I have two ASA FW and Two ISP Links.
Ist ISP Links 184.108.40.206
IInd ISP Link 220.127.116.11
Inside Network 192.168.12.0/24
Now I configure one link on outside interface of first FW and second link on second FW outside Interface. And First Firewall interface IP address is 192.168.13.1 and second FW Inside Interface IP is 192.168.14.1 and both interfaces are connected with Cisco Router which has three interfaces. Router Conf is in below
Eth 0 192.168.13.2 Which is connected Ist FW
Eth 1 192.168.14.2 Which is connected IIst FW
Eth 3 192.168.12.1 which is connected my inside Network.
Static route using here
0.0.0.0 o.o.o.o 192.168.13.1
0.0.0.0 o.o.o.o 192.168.14.1
Now I create Site to site tunnel from both FW with other site which peer IP is 18.104.22.168. In this scenario, will the load balancing work between ISP links and Site to Tunnel. Thanks
What would be happen, if I add route command for return traffic for inside network (192.168.12.0) from remote site. Will it communicate. Thanks
I think you can lose half of the traffic.
The problem will be on remote site.
And you need to have identical crypto access-lists for different peers (ASA1, ASA2).
yeah, its not an issue. I will make crypto settings and exempt the network for both ASA FW. What wud be the issue if i go with similar configuration. I havn't two ISP lines otherwise I wud test it. Can anyone test this scenario.. Thanks