Configure 3 ISPs on 1 router and run site to site VPN
I have an existing setup as follows:
HO ASA is directly connected to ISP1 running peer-to-peer VPN with 5 remote sites also having ASAs as endpoints terminating the VPN tunnels. Note that the ISPs at the different remote locations are all different so the peer-to-peer VPN is actually run over the internet.
Because client experiences downtime from ISP1 at HO they went ahead to get 2 new ISPs making 3. A router with additional interface card has been purchased and client wants to configure all 3 ISPs on the HO router in a manner to provide failover from one ISP to the other when there is an issue with the former. VPN traffic between the HO and the sites are what passes through these physical and logical connections.
Task now is to configure the new HO Router with the 3 ISPs such that when ISP1 fails, ISP2 picks up routing traffic. HO ASA will remain in the picture and will maintain its primary function of managing all VPN related traffic between the HO LAN and remote site LAN. Remote site ASAs need to be configured in such a way that they can track when ISP1 at HO is down and accept or initiate VPN traffic from/to the HO via ISP2. I have attached a sketch of what the network topology must look like after the setup is complete.
I have spent some time trying to introduce BGP but the client does not have its own range of public IPs and AS number, so that has been put on ice.
I have also considered DMVPN, but this also is a problem because all the end point devices at the remote sites are all ASA devices.
So i am now stuck and really lost of what next to do. Would appreciate any advice and probably sample configs that can help.
So i have the following config for the HO Router, a little something i think for the HO ASA, but not a clue on what to do on the remote ASA to allow it monitor all three HO ISPs and know when to route traffic through a working ISP, any ideas please?
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname HO_Router ! boot-start-marker boot-end-marker ! no aaa new-model ip subnet-zero ip cef ! no ip domain lookup no ip dhcp use vrf connected ! ! ! no ipv6 cef ! ! multilink bundle-name authenticated ! ip audit po max-events 100 ! ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share ! ! ! crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac mode transport ! ! crypto keyring ISP1 pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey1 crypto keyring ISP2 pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey2 crypto keyring ISP3 pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey3 ! ! ! ! crypto isakmp profile ISP1 keyring ISP1 match identity address 0.0.0.0 ! ! crypto isakmp profile ISP2 keyring ISP2 match identity address 0.0.0.0 ! ! ! crypto isakmp profile ISP3 keyring ISP3 match identity address 0.0.0.0 ! ! ! ! crypto ipsec profile IpsecProf1 set transform-set AES256SHA set isakmp-profile ISP1 ! ! crypto ipsec profile IpsecProf2 set transform-set AES256SHA set isakmp-profile ISP2 ! ! crypto ipsec profile IpsecProf3 set transform-set AES256SHA set isakmp-profile ISP3 ! ! ! ! ! interface Tunnel1 bandwidth 2000 ip address 172.16.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication nhrpauth ip nhrp map multicast dynamic ip nhrp network-id 53 ip tcp adjust-mss 1360 ip ospf network point-to-multipoint ip ospf 1 area 0 delay 100 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 1 tunnel protection ipsec profile IpsecProf1 ! interface Tunnel2 bandwidth 2000 ip address 172.16.20.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication nhrpaut2 ip nhrp map multicast dynamic ip nhrp network-id 54 ip tcp adjust-mss 1360 ip ospf network point-to-multipoint ip ospf 1 area 0 delay 100 tunnel source GigabitEthernet0/2 tunnel mode gre multipoint tunnel key 2 tunnel protection ipsec profile IpsecProf2 ! interface Tunnel3 bandwidth 2000 ip address 172.16.30.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication nhrpaut3 ip nhrp map multicast dynamic ip nhrp network-id 55 ip tcp adjust-mss 1360 ip ospf network point-to-multipoint ip ospf 1 area 0 delay 100 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 3 tunnel protection ipsec profile IpsecProf3 ! ! ! ! interface GigabitEthernet0/0 desc To ASA ip address 10.0.1.1 255.255.255.0 ip nat inside ip ospf 1 area 0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco123 duplex auto speed auto ! ! interface GigabitEthernet0/1 desc ISP1 ip address a.a.a.2 255.255.255.254 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! ! interface GigabitEthernet0/2 desc ISP2 ip address b.b.b.2 255.255.255.254 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! ! interface FastEthernet0/0/0 desc ISP3 ip address c.c.c.2 255.255.255.254 ip nat outside ip virtual-reassembly duplex auto speed auto ! ! router ospf 1 default-information originate always
! ip nat inside source route-map EXIT_ISP1 interface GigabitEthernet0/1 overload ip nat inside source route-map EXIT_ISP2 interface GigabitEthernet0/2 overload ip nat inside source route-map EXIT_ISP3 interface FastEthernet0/0/0 overload ip forward-protocol nd ip classless ! ! ip sla responder ! ! ip sla 1 icmp-echo a.a.a.1 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo b.b.b.1 ip sla schedule 2 life forever start-time now ip sla 3 icmp-echo c.c.c.1 ip sla schedule 3 life forever start-time now ! ! track 10 ip sla 1 reachability delay down 1 up 1 ! track 20 ip sla 2 reachability delay down 1 up 1 ! track 30 ip sla 3 reachability delay down 1 up 1 ! ! ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 a.a.a.1 track 10 ip route 0.0.0.0 0.0.0.0 b.b.b.1 track 20 ip route 0.0.0.0 0.0.0.0 c.c.c.1 track 30 ip route 172.16.10.0 255.255.255.0 a.a.a.1 ip route 172.16.20.0 255.255.255.0 b.b.b.1 ip route 172.16.30.0 255.255.255.0 c.c.c.1 ! ! ! ! access-list 110 permit ip 10.0.1.0 0.0.0.255 any ! route-map EXIT_ISP1 permit 10 match ip address 110 match interface GigabitEthernet0/1 ! route-map EXIT_ISP2 permit 10 match ip address 110 match interface GigabitEthernet0/2 ! route-map EXIT_ISP3 permit 10 match ip address 110 match interface FastEthernet0/0/0 ! ! ! ! ! control-pane ! ! line con 0 line aux 0 line vty 0 4 login ! end
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...