05-11-2012 10:37 AM - edited 03-03-2019 06:34 AM
Site A,B,C
Each has pair of ASA active /passive
Site A and B primary IPsec VPN B2B site.
Can I configure the way if connection to site a or b failed the traffic will route to site C. This senario will occur in the event a complete loss to a site and active/ passive firewalls does work in site A or B.
Thanks
Sent from Cisco Technical Support iPhone App
05-12-2012 05:27 AM
Hi Mustafa,
I am sure its possible but before we discuss further can you please how the 3 sites are connected etc. Is there a network diagram that you can post up here?
Regards, Kishore
05-12-2012 06:21 AM
I don't have a network diagram. All three sites are connected via AT&T MPLS network.
However, this new application requires a second connection via Internet and VPN between sites for PCI compliance purposes.
So basically broadband type Internet connection between all three sites for VPN purposes
Thanks
Sent from Cisco Technical Support iPhone App
05-18-2012 08:21 AM
You guys don't have some kind of routing protocol in place? I have worked at couple of different places where we had two VPN's setup between sites and we used EIGRP. So if one would go down EIGRP would send over the other VPN. Ofcourse you'll need to do GRE, VTI to configure EIGRP accross the VPN.
03-10-2013 10:00 AM
HI,
If I understand correctly, you have Primary mode of connection as MPLS across sites A, B & C. And looking for VPN over Internet as back up solution.
I would suggets you to go with Cisco DMVPN rather GRE/IPsec.(Though GRE/IPsec works fine) You can use dynamic routing protocol such as EIGRP/OSPF over DMVPN as your backup solution when primary is down.
Alternatively, if your application is hosted in a Primary site, you could provide a Remote Access VPN solution (e.g., Cisco Anyconnect SSL VPN ) with RSA two factor authentication for users to dial-in
Regards,
VIdyadhar Evani.
03-11-2013 02:37 AM
DMVPN is the best option if it was not ASA
since ASA dose not support it then you could use two static routes for same destination IP/subnet one point to the primary path/link and the other to the secondary with higher AD and use IPSLA with it
hope this help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide