ASA routing traffic out MPLS, VPN, and ISP?

it · ‎12-09-2012

Hi,

I hope this is the right place to post this question....

I currently have an ASA5510 (software version 8.2.5) which I'm using as my firwall and vpn. I have an ipsec tunnel between my office and our HQ office. The ASA is also serving as client vpn termination point.

For routing internally at my office, all I have is a Catalyst 3560 doing static vlan routing, and the ASA's inside interface is the default gateweay for the 3560.

The next step is to add an MPLS circuit between the 2 offices.

The ipsec tunnel between the two offices is working fine, but once the MPLS is installed, we want to send all pertinent traffic over MPLS, and use the ipsec tunnel as a backup in case the MPLS goes down.

So all traffic leaving the branch office network would be handled by the ASA. The ASA would either send the traffic out the MPLS (or over the ipsec tunnel if the MPLS was down), or out to the internet if not destined for one of the HQ networks.

Can the 5510 do all of this?

Thanks for any insights!

sean_evershed · ‎12-09-2012

One potential solution is to use IP SLA to failover to your secondary link. See below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Don't forget to rate helpful posts.

aacole · ‎12-12-2012

This type of solution with an ASA is quite difficult to set up, in my experience you would be far better to use a router with the firewall feature set, as you have better options for configuring the IPsec L2L tunnels. ASA's are great for remote access (Client) VPN's, but limited for L2L use.

Routers allow you to set up either VTI or DMVPN based tunnels, both of which support a dynamic routing protocol across the tunnel, so the tunnel looks like another P2P circuit to your core, and can have routing metrics or floating statics applied.

Andy