Re: RIP neighbor on ASA

MikeM-2468 · ‎07-29-2011

It doesn't look like setting a RIP neighbor is possible on the ASA 5505. Is there a preferred method for configuring RIP between an ASA and a 2800 router? The intention is to have a site to site VPN on the ASA to the same network that the 2800 routes to. Two sites each with a 2800 and an ASA with the ASA acting as a backup to the dedicated circuit.

andrew.prince · ‎07-29-2011

Why do you need a dynamic routing protocol, static routes will serve just as well.

Sent from Cisco Technical Support iPad App

MikeM-2468 · ‎07-29-2011

If the primary link goes down, I need the traffic to go over the backup link automatically. That's what dynaimc routing is for. It's cumbersome to have to maintain static routes on all of the devices.

andrew.prince · ‎07-29-2011

Just to understand the topology

Primary

2800router2800Router

Backup

2800Router<>ASA>VPN<>2800Router

??

MikeM-2468 · ‎07-29-2011

This is more accurate:

Primary

2800router A2800Router B

Backup

ASA A>VPN

The 2800 routers are the default gateways for all of the clients. If the link between the two goes down, all traffic needs to go over the ASA VPN. But no traffic should go over the VPN if the 2800 link is up. I understand there's a single point of failure if the 2800 dies completely but that's an acceptable risk.

andrew.prince · ‎07-29-2011

So you just run rip over the direct link only . You have a default gateway in the routers pointing to the asa (you need this anyway for Internet access) if the rip route over the direct link goes away the default route pick up for the asa VPN tunnel. If you run rip between the asa and routers, you will need to redistribute a static route, and amend the metrics.......simple is best.

Sent from Cisco Technical Support iPad App

MikeM-2468 · ‎07-29-2011

I must correct one assumption. All traffic, including internet goes over the direct link for compliance reasons. When the link goes down, everything then goes over the VPN. In this scenario the internet traffic can go directly out the ASA without being routed through the VPN.

andrew.prince · ‎07-29-2011

Nothing changes, for that to work, you just distribute a default route into rip from the head office. The default static route in the router just need to have a higher admin distance than the rip route.

The asa does not need to run rip. I have 4 data centres, each with dynamic vpn tunnels to over 200 hundred sites each, My asa's do not run any dynamic routing protocol, and I have bullet proof failover.

But do it how you want to, just pointing out there is more than one way to do anything.

Sent from Cisco Technical Support iPad App

MikeM-2468 · ‎08-01-2011

In the end, do I really need RIP? Can't I just put two default gateways in the 2800 routers. One pointing over the link and the other with a higher metric pointing to the ASA? Or is that what you originally suggested?

andrew.prince · ‎08-01-2011

I would say - yes it would be the best option to have a dynamic routing protocol over the link between the 2800 routers. Once those dynamic routes are no longer avialable the already existing default route takes over. However you could have GRE tunnels traversing the ASA VPN and run a dynamic routing protocol over the GRE tunnel inside the VPN.

That way you could tweak your failover response time down to miliseconds if you so desired.

My point is - just you can make it complicated, that does not mean it's the best way or even will give you the best results. The ASA is a firewall, not a router; just because it supports routing protocols - does not make it a router. Let a firewall be a firewall, and a router be a router JMTPW.