https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243396#M357495 <HTML><HEAD></HEAD><BODY><P>I also don't really understand the scenario ... but the ASA can run routing through a VPN. It's described in the following document:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml</A></P><P></P><P>Still, a router would probably be the better device to achive the desired result.</P><P></P><P>-- </P><P>Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 24 May 2013 17:33:09 GMT Karsten Iwen 2013-05-24T17:33:09Z https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243392#M357491 <P>Hi,</P><P></P><P>I have a simple requirment that I am hoping somone can kindly validate.</P><P></P><P>Running an ASA firewall, I would like to achieve the following:</P><P></P><P>I would like to setup two external routes for my firewall. The primary/default would use the outside interface. Should this route become unavailable, I would like to route via an IPSec LAN2LAN tunnel, using the outside interface.</P><P></P><P>My Question, can I run ospf over both the outside and VPN tunnel tunnel to achive this routing scenario (seeing as they reside on the same interface, I am a little conceraned) ?</P><P></P><P>Any advice apprecaited.</P><P></P><P>Thank you</P><P>Matt </P> Tue, 12 Mar 2019 01:48:47 GMT https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243392#M357491 mcroft 2019-03-12T01:48:47Z https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243393#M357492 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I think you would need GRE to be able to run routing protocol through a L2L VPN connection.</P><P></P><P>And ASA cant do IPsec + GRE tunnels like Cisco Routers</P><P></P><P>So it doesnt really seem possible.</P><P></P><P>Also I am a bit confused about this purpose. You say you would be using a single interface for both the normal default route and the L2L VPN connection. Wouldnt a failure fail both routes if we presumed this could be done on the ASA alone?</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 24 May 2013 16:45:33 GMT https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243393#M357492 Jouni Forss 2013-05-24T16:45:33Z https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243394#M357493 <HTML><HEAD></HEAD><BODY><P>thanks for the reponse.</P><P></P><P>I have just been looking at the ASDM.</P><P>It looks like there is a 'Tracking Option' under the routing section. So, you can add a couple static routes one with a higher SLA ID and then track accriding</P><P></P><P>Not sure how this will work with a crypto map though, may screw it all up. But worth a test.</P><P></P><P>As for the purpose, they would share the same outside interface but have two different gatways (LAN Router &amp; ISP Router), however, they are in a failover pair. So if the physical ethernet port / connection fails, the ASA would fail to the secondary unit. The failover unit would then pick up the IPSEC VPN route.</P><P></P><P>thats my thinking anyways <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Viable ?</P></BODY></HTML> Fri, 24 May 2013 17:12:21 GMT https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243394#M357493 mcroft 2013-05-24T17:12:21Z https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243395#M357494 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Sadly I cant really provide much insight to this setup.</P><P></P><P>But to my understanding you need GRE to be able to run routing through a L2L VPN connection. And as ASA cant do that it is not possible to my understanding.</P><P></P><P>I still dont understand the setup completely.</P><P></P><P>Normally your default route would be the ISP Router and if it failed you would start routing towards some LAN Router/L2L VPN. Where would that L2L VPN be connected to?</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 24 May 2013 17:24:40 GMT https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243395#M357494 Jouni Forss 2013-05-24T17:24:40Z https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243396#M357495 <HTML><HEAD></HEAD><BODY><P>I also don't really understand the scenario ... but the ASA can run routing through a VPN. It's described in the following document:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml</A></P><P></P><P>Still, a router would probably be the better device to achive the desired result.</P><P></P><P>-- </P><P>Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Fri, 24 May 2013 17:33:09 GMT https://community.cisco.com/t5/network-security/asa-with-a-secondary-route-via-ipsec-ospf/m-p/2243396#M357495 Karsten Iwen 2013-05-24T17:33:09Z