05-24-2013 09:41 AM - edited 03-11-2019 06:48 PM
Hi,
I have a simple requirment that I am hoping somone can kindly validate.
Running an ASA firewall, I would like to achieve the following:
I would like to setup two external routes for my firewall. The primary/default would use the outside interface. Should this route become unavailable, I would like to route via an IPSec LAN2LAN tunnel, using the outside interface.
My Question, can I run ospf over both the outside and VPN tunnel tunnel to achive this routing scenario (seeing as they reside on the same interface, I am a little conceraned) ?
Any advice apprecaited.
Thank you
Matt
05-24-2013 09:45 AM
Hi,
I think you would need GRE to be able to run routing protocol through a L2L VPN connection.
And ASA cant do IPsec + GRE tunnels like Cisco Routers
So it doesnt really seem possible.
Also I am a bit confused about this purpose. You say you would be using a single interface for both the normal default route and the L2L VPN connection. Wouldnt a failure fail both routes if we presumed this could be done on the ASA alone?
- Jouni
05-24-2013 10:12 AM
thanks for the reponse.
I have just been looking at the ASDM.
It looks like there is a 'Tracking Option' under the routing section. So, you can add a couple static routes one with a higher SLA ID and then track accriding
Not sure how this will work with a crypto map though, may screw it all up. But worth a test.
As for the purpose, they would share the same outside interface but have two different gatways (LAN Router & ISP Router), however, they are in a failover pair. So if the physical ethernet port / connection fails, the ASA would fail to the secondary unit. The failover unit would then pick up the IPSEC VPN route.
thats my thinking anyways
Viable ?
05-24-2013 10:24 AM
Hi,
Sadly I cant really provide much insight to this setup.
But to my understanding you need GRE to be able to run routing through a L2L VPN connection. And as ASA cant do that it is not possible to my understanding.
I still dont understand the setup completely.
Normally your default route would be the ISP Router and if it failed you would start routing towards some LAN Router/L2L VPN. Where would that L2L VPN be connected to?
- Jouni
05-24-2013 10:33 AM
I also don't really understand the scenario ... but the ASA can run routing through a VPN. It's described in the following document:
Still, a router would probably be the better device to achive the desired result.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide