Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
4
Replies

ASA with a secondary route via IPSec (ospf?)

mcroft
Level 1
Level 1

‎05-24-2013 09:41 AM - edited ‎03-11-2019 06:48 PM

Hi,

I have a simple requirment that I am hoping somone can kindly validate.

Running an ASA firewall, I would like to achieve the following:

I would like to setup two external routes for my firewall. The primary/default would use the outside interface. Should this route become unavailable, I would like to route via an IPSec LAN2LAN tunnel, using the outside interface.

My Question, can I run ospf over both the outside and VPN tunnel tunnel to achive this routing scenario (seeing as they reside on the same interface, I am a little conceraned) ?

Any advice apprecaited.

Thank you

Matt

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎05-24-2013 09:45 AM

Hi,

I think you would need GRE to be able to run routing protocol through a L2L VPN connection.

And ASA cant do IPsec + GRE tunnels like Cisco Routers

So it doesnt really seem possible.

Also I am a bit confused about this purpose. You say you would be using a single interface for both the normal default route and the L2L VPN connection. Wouldnt a failure fail both routes if we presumed this could be done on the ASA alone?

- Jouni

0 Helpful

mcroft
Level 1
Level 1
In response to Jouni Forss

‎05-24-2013 10:12 AM

thanks for the reponse.

I have just been looking at the ASDM.

It looks like there is a 'Tracking Option' under the routing section. So, you can add a couple static routes one with a higher SLA ID and then track accriding

Not sure how this will work with a crypto map though, may screw it all up. But worth a test.

As for the purpose, they would share the same outside interface but have two different gatways (LAN Router & ISP Router), however, they are in a failover pair. So if the physical ethernet port / connection fails, the ASA would fail to the secondary unit. The failover unit would then pick up the IPSEC VPN route.

thats my thinking anyways

Viable ?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to mcroft

‎05-24-2013 10:24 AM

Hi,

Sadly I cant really provide much insight to this setup.

But to my understanding you need GRE to be able to run routing through a L2L VPN connection. And as ASA cant do that it is not possible to my understanding.

I still dont understand the setup completely.

Normally your default route would be the ISP Router and if it failed you would start routing towards some LAN Router/L2L VPN. Where would that L2L VPN be connected to?

- Jouni

0 Helpful

Karsten Iwen
VIP
VIP
In response to Jouni Forss

‎05-24-2013 10:33 AM

I also don't really understand the scenario ... but the ASA can run routing through a VPN. It's described in the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Still, a router would probably be the better device to achive the desired result.

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card