So I will need to create a virtual tunnel interface on the 1941 and the ASA 5515-X. Does the 5515-X support VTI? Do you know of any good documentation off hand for setting up a virtual tunnel interface and the VPN configuration between the two?

I will also set a static route on the 1941 pointing only to the endpoint address of the ASA. 

Thank you very much for your detailed reply. It is much appreciated! 

I was so focused on the 1941 and the description of the functionality of the remote site that I failed to pay attention to the mention that the main building has an ASA. The ASA does not support VTI and does not support GRE. So your realistic options are much more limited than what I had described. I believe that you will need to do a standard IPsec site to site VPN between the ASA and the 1941. And that takes EIGRP out of consideration for the VPN. I believe that you probably will need to configure floating static routes to direct traffic to the VPN in the event that EIGRP over the Metro Ethernet withdraws its routes due to failure of the Metro Ethernet.

I still believe that you need to be careful about a default route using the Internet. Assuming that you may need to tunnel traffic from the Branch to the Internet over the IPsec VPN I would suggest that your floating static default route use the ASA outside interface as its next hop and that you have a /32 route on the 1941 for the ASA outside interface address.

Sorry that I missed an important detail in your original post.

HTH

Rick

No need for apologies you are certainly very helpful. 

So to break it down and make sure I am understanding correctly I will need to do the following:

1.) Create a static route on the 1941 with the destination being only the external address of the ASA and the next hop being the ISP router. 

2.) Create a standard IPSEC VPN between the 1941 and the ASA. 

3.) Create a floating static route for the gateway of last resort to the internal address of the ASA. (Tunnel endpoint)

4.) Create a static route on the ASA pointing to the networks local to the remote 1941. I'm assuming with higher administrate distances and then redistributed through EIGRP.

Does this all sound correct? 

Sounds mostly correct. Here are a couple of points:

- 1) right

- 2) right

- 3) the next hop of the floating static default route is probably the ASA external address rather than its internal address.

- 4) Yes higher admin distance for the static on the ASA will prevent it from being used as long as EIGRP over Metro Ethernet is working. And redistributing on the ASA into EIGRP would allow it to be advertised to the main building.

HTH

Rick

Okay so for number 3 I will create the following static route:

ip route 0.0.0.0 0.0.0.0 x.x.x.x 201 (where x.x.x.x is the external address of the ASA for the VPN tunnel) 

So since the policy will be set to encrypt data going to that address it will all be secured correct? Just want to make sure I fully understand what I am doing. 

So on the ASA I will need to create the routes in the opposite direction as floating correct? So lets say I use the 192.168.32.0 network at the remote location. If that is the case I will need to create the following static route:

route inside 192.168.32.0 255.255.255.0 y.y.y.y 201 (where y.y.y.y is the external address of the branch router) 

I am assuming I will need to set it as an inside route because of the filtering and settings or will I need to will it need to be outside and then have rules set up? 

Again, thank you for your help. You have been more than helpful and I appreciate it very much! 

The route on the ASA would use outside and not inside. I am not sure what to say about rules set up. There is no need for access policy rules, other than the rules involved in setting up the site to site VPN. For the VPN you will need an access list to identify the traffic to be protected in the VPN, will need a crypto map and tunnel groups, and probably will need a NAT exemption rule (to indicate that the VPN traffic should not be translated - depending on whether your ASA is translating traffic on the outside interface). But no other access rule is needed for VPN traffic.

HTH

Rick

On the 1941 I will have to create a policy for VPN traffic. If my understanding is correct it will match source and destination IP to decide what to send over the VPN. Will this policy make traffic use the VPN and not the EIGRP route over the Metro Ethernet? Or will the policy not take effect until the route is in place to send traffic over it?

When you talk about a policy for VPN that is what is involved in configuring a crypto map and the things associated with the crypto map (access list to identify traffic to be encrypted, ISAKMP policies, Transform set, etc). You will apply the crypto map on the new interface to the ISP. The crypto map will evaluate all traffic going out the interface to the ISP but will not affect traffic going out the Metro Ethernet.

So it comes down to a consideration of how traffic is being forwarded on the 1941. As long as routing is sending traffic out the Metro Ethernet interface there is no impact from the VPN and if routing changes and begins sending traffic out the interface to the ISP then the VPN is involved.

HTH

Rick