Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4408
Views
24
Helpful
25
Replies

ASA Backup Route over VPN

Yannick Vranckx
Level 2
Level 2

‎07-06-2015 02:03 AM - edited ‎03-11-2019 11:13 PM

Hello,

 

I have a question regarding a design with Cisco ASA. We will have a customer that will a controlled WAN, on the controlled WAN there will be sites with all Cisco ASA firewalls. There will also be a data center with the internet connection out.

But the sites will have a local internet break-out for backup reasons, incase the WAN would go down. The ASA must then create a VPN tunnel over that backup internet to the data center in order to keep connectivity.

 

 

My question is: How can wel tell the asa the Main WAN is down (Please note, he will not be the last hop out). Can we have IP SLA config on a route outside? So we can track the route and then when it's down perform an action.

The action should be that the ASA builds a VPN tunnel over the internet breakout to the data center in order to restore connectivity

 

Kind Regards,

 

Labels:
Preview file
35 KB
0 Helpful
25 Replies 25

Boris Uskov
Level 4
Level 4
In response to sang-l

‎12-14-2015 11:07 PM

Hello, 

Yes, it is true, that you can not configure tunnel interfaces on ASA. But you can configure the simple IPsec Site-to-Site tunnels (with crypto maps) to remote offices over Internet. All other recommendations are the same, as for Yannick's case.

You can:

1) Build two IPsec tunnels with crypto maps for each remote office. The first IPsec tunnel over MPLS cloud, the second - over Internet.

You can use OSPF over IPsec in this case to manage the routes. 

2) Build IPsec tunnel only over Internet (if MPLS cloud is a trusted zone for you). You can also use OSPF, EIGRP or iBPG to manage routes in this case.

sang-l
Level 1
Level 1
In response to Boris Uskov

‎12-14-2015 11:20 PM

Hi Boris,

You can instruction me follow option 2 use OSPF ?

Thanks.

0 Helpful

Boris Uskov
Level 4
Level 4
In response to sang-l

‎12-14-2015 11:28 PM

Oh, sorry, I made a mistake. OSPF and EIGRP are not suitable for option 2, because MPLS cloud is L3. Is iBGP suitable for you? To configure iBGP on cisco ASA, you need to have 9.2.(1) software release or higher.

sang-l
Level 1
Level 1
In response to Boris Uskov

‎12-14-2015 11:57 PM

Yes, I will configure iBGP follow your guide.

If we choose option 1. We can configure multi crypto map for 1 interface ?(we have multi site)

Thanks.

0 Helpful

Boris Uskov
Level 4
Level 4
In response to sang-l

‎12-15-2015 12:03 AM

Ok, great.

Usually, it is called not a multi crypto map, but one crypto map with many entries. For example, you can configure crypto map "outside_1_map" with three entries:

crypto map outside_1_map 1 match address acl-cryptomap-1
crypto map outside_1_map 1 set pfs 
crypto map outside_1_map 1 set peer X.X.X.X 
crypto map outside_1_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_1_map 2 match address acl-cryptomap-shop2
crypto map outside_1_map 2 set pfs 
crypto map outside_1_map 2 set peer Y.Y.Y.Y 
crypto map outside_1_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_1_map 3 match address acl-cryptomap-3
crypto map outside_1_map 3 set pfs 
crypto map outside_1_map 3 set peer Z.Z.Z.Z
crypto map outside_1_map 3 set ikev1 transform-set ESP-3DES-SHA

And bind this crypto map "outside_1_map" to the outside interface:

crypto map outside_1_map interface outside_1

sang-l
Level 1
Level 1
In response to Boris Uskov

‎12-15-2015 12:41 AM

Hi Boris,

You can instruction me configure OSPF over two IPsec tunnels ?

I want have two option for configure but I don't understand configure ospf over ipsec tunnel.

Thanks.

0 Helpful

Boris Uskov
Level 4
Level 4
In response to sang-l

‎12-15-2015 12:49 AM

There was a link to cisco site with configuration example, but it disappeared. Please, see the following example (it is rather the same):

http://www.networkengineerblog.com/2009/12/configuring-ospf-on-cisco-asa-firewall.html

sang-l
Level 1
Level 1
In response to Boris Uskov

‎12-15-2015 01:13 AM

Thanks Boris.

0 Helpful

donglt001
Level 1
Level 1
In response to Boris Uskov

‎12-22-2015 04:39 AM

Hi Boris,

If wan link is MPLS L3. iBGP on two ASA can see route on routing table. But can not access, because Office net( 192.168.1.0/24) ping to Datacenter net(10.0.0.0/24)  when traffic go out interface outside_2, router ISP will drop because it can not aware route(192.168.1.0 and 10.0.0.0/24) to foward.

Request ISP route on router is unavailable.

One option for solution is build two IPsec tunnels with crypto maps for each remote office. I will do it and let you know the result.

0 Helpful

donglt001
Level 1
Level 1
In response to Boris Uskov

‎12-16-2015 08:43 AM

Hi Boris, 

Can you post full configuration ASA Office and ASA Data center ?

We want refer.

Thanks.

0 Helpful

Boris Uskov
Level 4
Level 4
In response to donglt001

‎12-17-2015 06:15 AM

Sorry, I don't have the configuration. It is not my network. The question was opened by Yannick Vranckx.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card