Hey,
Due to the apocalypse, I'm having another internet circuit installed (1GbE from a tier 1 transit carrier). The CheckPoint VMs are the perimeter of my enterprise (10,000 users). My VPN appliances are ASA FP2110s which sit on the internet, but a full tunnel with its next hop to the internet to the CheckPoint. I need traffic to flow through the CheckPoint for VPN users to maintain security policies.
If I were to bring a new circuit in, I'd need to put the ASAs on this VLAN, and have them follow the default route to the CheckPoint but the CheckPoint to steer traffic to override the default route through the current carrier and use the new carrier.
The idea is - traffic sourced from 172.22.0.0/22 (VPN subnet), PBR the traffic out the new circuit.
In the lab, this works perfect. I have no issues with configuration. I'm looking to see if anyone out there has experience with this and what the performance would be?
Thanks.
No comments:
Post a Comment