Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Suggestion for separate VPN appliances and managing IPSEC VPN routes

I'm looking to install two Cisco ASA 5585X firewalls in active/standby and am running into a snag.

Right now we terminate all of our IPSEC VPN tunnels on a pair of 5585x's but with the size of those tunnels growing and our organization aquiring other organizations at a fast rate, we've deviced to move the VPN tunnels to their own VPN appliances.

Right now VPN tunnels are very simple since our default route, which is advertised by EIGRP, is to inside interface on our firewalls. Once the new firewalls are installed this won't work for VPN networks/hosts.

Is it possible to run EIGRP on the new VPN appliances and advertise those remote VPN networks/hosts into our EIGRP instance. I really don't want to create hundreds of static routes/ACLs to redirect that VPN networks/host to the new VPN appliances.

Thank you in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Suggestion for separate VPN appliances and managing IPSEC VP

Remember to enable RRI on the VPN box and advertise a summary of IP pool(s) toward your "core" infrastructure, for example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_eigrp.html#wp1104925

M.

edit: Oh, one more thing, since summaries can lead to routing loops in some cases, enable strict unicast RPF on L3 interfaces of ASA and next hope towards your L3. Just a safeguard. Anyway unicast RPF is best practice in most setups.

2 REPLIES
Cisco Employee

Re: Suggestion for separate VPN appliances and managing IPSEC VP

Remember to enable RRI on the VPN box and advertise a summary of IP pool(s) toward your "core" infrastructure, for example:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_eigrp.html#wp1104925

M.

edit: Oh, one more thing, since summaries can lead to routing loops in some cases, enable strict unicast RPF on L3 interfaces of ASA and next hope towards your L3. Just a safeguard. Anyway unicast RPF is best practice in most setups.

New Member

Suggestion for separate VPN appliances and managing IPSEC VPN ro

This helped me immensely and is working great. Thank you for the assistance!

188
Views
0
Helpful
2
Replies
CreatePlease to create content