Question : IPSEC access into ASA via second Internet connection

I have a question for what seems to be a popular unresolved question relating to Cisco ASA (5510) and multiple internet connections (carrier eth + cable).  

How can I configure the ASA to allow for inbound connections via the secondary cable Internet connection (for things such as IPSEC VPN or other port based access)?

First, I have configured the static routes per the popular Cisco article http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml.  This article hints that inbound connections require advanced configuration but that details about this advanced config are not included.  

On VPN redundancy for example, I have duplicated all IPSEC VPN setup for the secondary Internet interface.  When I try to test VPN using the static IP of the backup however, I can't get the ASA to allow the traffic in.

Hints from somewhat related questions on this topic suggest that additional routing protocols are needed, or external load balancing servers/services or adding a Cisco router.  None clearly explains how to get the inbound connection simultaneously on both a primary and secondary interface.  If this is not possible with just the ASA 5510 alone, what options do I have?

My ultimate desire is to do DNS failover for key services such services as SFTP, Exchange (443 and 25) and IPSEC VPN so that if the primary Internet line goes down, outside services will not be inaccessible.

Thanks in advance!
Aaron

Answer : IPSEC access into ASA via second Internet connection

To my knowledge the ASA doesn't have the ability to automatically fail over IPSec site-to-site tunnels through a redundant ISP that's configured like the Cisco article you linked.  Cisco does have a protocol called DMVPN (Dynamic multipoint VPN) which would allow this work, but thats not supported on the ASAs unfortunately.  

Now for remote VPN client configuration it should be possible to have that work correctly when you've failed over to the backup link.  If thats not working then can you please post your sanitized config?

How do you plan to accomplish DNS failover?  Are you going to use a service which will detect that your primary ISP is down and then only hand out the backup IPs?  For inbound SMTP an MX record with a primary and secondary can work fine, but for other services, this can be problematic.  

One solution that can work is this
- Have your registrar point to DNS servers you administrate.  One is configured on an IP assigned by ISP1, the other on ISP2.
- Have those IPs NATed on your firewall to go to 2 seperate DNS servers, these host your internet DNS records
- Configure your DNS entries on each server so that they hand out the IPs for the specific ISP they're related to.  I.e. DNS server 1, NATed to ISP1 IP address, hands out IPs for inbound services that are allocated by ISP1.  DNS server 2 hands out ISP2 IP numbers.
- The ISP2 DNS server will be non-accessible from the internet unless and until ISP1 fails and the ASA redirects the default gateway route, DNS server 2 then hands out IPs, but only for the IPs to be routed through ISP2, and thus through the backup connection.

Also I might point out that XroadsNetworks has a device can be configured behind your ASA and makes this setup alot easier. :)
Random Solutions  
 
programming4us programming4us