07-29-2011 08:49 AM - edited 03-11-2019 02:05 PM
It doesn't look like setting a RIP neighbor is possible on the ASA 5505. Is there a preferred method for configuring RIP between an ASA and a 2800 router? The intention is to have a site to site VPN on the ASA to the same network that the 2800 routes to. Two sites each with a 2800 and an ASA with the ASA acting as a backup to the dedicated circuit.
07-29-2011 11:07 AM
Why do you need a dynamic routing protocol, static routes will serve just as well.
Sent from Cisco Technical Support iPad App
07-29-2011 11:10 AM
If the primary link goes down, I need the traffic to go over the backup link automatically. That's what dynaimc routing is for. It's cumbersome to have to maintain static routes on all of the devices.
07-29-2011 11:21 AM
Just to understand the topology
Primary
2800router
Backup
2800Router<>ASA>VPN
??
07-29-2011 11:34 AM
This is more accurate:
Primary
2800router A
Backup
ASA A>VPN
The 2800 routers are the default gateways for all of the clients. If the link between the two goes down, all traffic needs to go over the ASA VPN. But no traffic should go over the VPN if the 2800 link is up. I understand there's a single point of failure if the 2800 dies completely but that's an acceptable risk.
07-29-2011 11:49 AM
So you just run rip over the direct link only . You have a default gateway in the routers pointing to the asa (you need this anyway for Internet access) if the rip route over the direct link goes away the default route pick up for the asa VPN tunnel. If you run rip between the asa and routers, you will need to redistribute a static route, and amend the metrics.......simple is best.
Sent from Cisco Technical Support iPad App
07-29-2011 12:00 PM
I must correct one assumption. All traffic, including internet goes over the direct link for compliance reasons. When the link goes down, everything then goes over the VPN. In this scenario the internet traffic can go directly out the ASA without being routed through the VPN.
07-29-2011 12:09 PM
Nothing changes, for that to work, you just distribute a default route into rip from the head office. The default static route in the router just need to have a higher admin distance than the rip route.
The asa does not need to run rip. I have 4 data centres, each with dynamic vpn tunnels to over 200 hundred sites each, My asa's do not run any dynamic routing protocol, and I have bullet proof failover.
But do it how you want to, just pointing out there is more than one way to do anything.
Sent from Cisco Technical Support iPad App
08-01-2011 10:36 AM
In the end, do I really need RIP? Can't I just put two default gateways in the 2800 routers. One pointing over the link and the other with a higher metric pointing to the ASA? Or is that what you originally suggested?
08-01-2011 10:49 AM
I would say - yes it would be the best option to have a dynamic routing protocol over the link between the 2800 routers. Once those dynamic routes are no longer avialable the already existing default route takes over. However you could have GRE tunnels traversing the ASA VPN and run a dynamic routing protocol over the GRE tunnel inside the VPN.
That way you could tweak your failover response time down to miliseconds if you so desired.
My point is - just you can make it complicated, that does not mean it's the best way or even will give you the best results. The ASA is a firewall, not a router; just because it supports routing protocols - does not make it a router. Let a firewall be a firewall, and a router be a router JMTPW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide