Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
2
Replies

Suggestion for separate VPN appliances and managing IPSEC VPN routes

Go to solution
campbech1
Level 1
Level 1

‎07-30-2013 08:21 AM - edited ‎02-21-2020 07:03 PM

I'm looking to install two Cisco ASA 5585X firewalls in active/standby and am running into a snag.

Right now we terminate all of our IPSEC VPN tunnels on a pair of 5585x's but with the size of those tunnels growing and our organization aquiring other organizations at a fast rate, we've deviced to move the VPN tunnels to their own VPN appliances.

Right now VPN tunnels are very simple since our default route, which is advertised by EIGRP, is to inside interface on our firewalls. Once the new firewalls are installed this won't work for VPN networks/hosts.

Is it possible to run EIGRP on the new VPN appliances and advertise those remote VPN networks/hosts into our EIGRP instance. I really don't want to create hundreds of static routes/ACLs to redirect that VPN networks/host to the new VPN appliances.

Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-31-2013 12:35 AM

Remember to enable RRI on the VPN box and advertise a summary of IP pool(s) toward your "core" infrastructure, for example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_eigrp.html#wp1104925

M.

edit: Oh, one more thing, since summaries can lead to routing loops in some cases, enable strict unicast RPF on L3 interfaces of ASA and next hope towards your L3. Just a safeguard. Anyway unicast RPF is best practice in most setups.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-31-2013 12:35 AM

Remember to enable RRI on the VPN box and advertise a summary of IP pool(s) toward your "core" infrastructure, for example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_eigrp.html#wp1104925

M.

edit: Oh, one more thing, since summaries can lead to routing loops in some cases, enable strict unicast RPF on L3 interfaces of ASA and next hope towards your L3. Just a safeguard. Anyway unicast RPF is best practice in most setups.

0 Helpful

Go to solution
campbech1
Level 1
Level 1
In response to Marcin Latosiewicz

‎11-26-2013 07:52 AM

This helped me immensely and is working great. Thank you for the assistance!

0 Helpful
Customers Also Viewed These Support Documents