topic ASA 5510 with double connection in Network Security

ASA 5510 with double connection

battanc — Tue, 12 Mar 2019 01:17:44 GMT

Customer with an internal network with several VLAN, Switch Layer-3 and Firewall.

VPN L2L with site B.

Now I need to add a leased line that directly connect site A with site B.

To protect my Network, I would like to connect this leased line to a new DMZ of my ASA.

No problem to manage the route on the Firewall.

The question is: can I keep the VPN as BackUp, in case of failure of the leased line ?

Can I track (with SLA monitor) the response of the leased line ?

Or the only way is to connect the leased line directly to the Layer-3 Switch (Cisco-3925), losing the Firewall protection on this line ?

Attached a scheme that can help you understand.

Best regard,

Claudio

ASA 5510 with double connection

Collin Clark — Thu, 21 Mar 2013 18:22:10 GMT

https://supportforums.cisco.com/thread/1003022

Hope it helps.

ASA 5510 with double connection

Andrew Phirsov — Thu, 21 Mar 2013 19:31:59 GMT

I think it's ok to connect leased line to another interface. I would only call that interface not DMZ, but smth like outside2 just for it to be more logical.

You will have to configure static route on your leased line towards the subnet on site B and do the tracking for that interface. And that static route would be preferred by default for that subnet, as soon as for ISP-line you're using just default route. In case of failure of leased line traffic to site B will match the default route, fall into crypto-map and get sent throug the vpn-tunnel.