Hi Harold..

Yes, i have a source at my one location and want this souce flow to come over backup circuit rather primary to my firewall ip, is it not possible..?

Hi Anukalp,

I am still a bit confused. So you have an ip address a.a.a.a and you want ingress traffic coming into your network to this specific address to use the backup link? Please confirm.

Regards

Hi Harold..

It is an internet router which i am calling as CE. I have a ASA behind this router. ASA outside interface ip is configured with a public ip from public pool provided by ISP. Actually I am looking for establishing IPSec tunnel over this backup link since primary link is usually almost high utilized.

I have a ASA in my another location which ip is lets suppose (A.A.A.A).

And this end ASA ip lets take (B.B.B.B).

So i want IPSec tunnel should be established over backup link b/w A.A.A.A & B.B.B.B IPs.

Pls help if it is possible.

Routes...

InternetRTR#sh ip bgp
BGP table version is 5, local router ID is 115.114.127.194
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 0.0.0.0          x.x.x.x                      200 4755 ?
*                   y.y.y.y                      100 4755 ?
*> 121.118.96.0/26  0.0.0.0                  0         32768 i

Hi Anukalp,

Thanks for the clarifications. For the outbound traffic, you can use a static route to A.A.A.A/32 (combined with IP SLA) or PBR to forward traffic through the secondary link. For inbound traffic towards B.B.B.B/32, you could announce a /32 to your SP via the secondary link. This obviously assumes that B.B.B.B/32 is only used as a end point for the IPsec tunnel.

Regards

Hi Harold..

I think after announcing B.B.B.B/32 through backup link, B.B.B.B will be reachable from all source over backup link. But i want only from source A.A.A.A it should be reachable over backup circuit.

However could you give a config example how could i  announce B.B.B.B thorugh backup link..it will be highly appreciated.

Hi Anukalp,

>I think after announcing B.B.B.B/32 through backup link, B.B.B.B will be  reachable from all source over backup link.

>But i want only from source  A.A.A.A it should be reachable over backup circuit.

I am afraid that this would be hard to achieve. On the other hand if you can use a separate addresses for the IPsec tunnel end point and the rest of the traffic, it would be much easier. Do you have any free addresses out of the pool that the ISP assigned to you?

>However could you give a config example how could i  announce B.B.B.B thorugh backup link..it will be highly

>appreciated.

You would need to originate B.B.B.B/32 locally (via a network statement) and filter it out on the primary link.

neighbor x.x.x.x remote-as 4755

neighbor x.x.x.x weight 200

neighbor x.x.x.x prefix-list test out

network B.B.B.B mask 255.255.255.255

!

ip prefix-list test seq 5 deny B.B.B.B/32

ip prefix-list test seq 10 permit 0.0.0.0/0 le 32

!

ip route B.B.B.B 255.255.255.255

Regards

Hi Harold..

Thanks for your suggestion..

Yes,, i can have a free ip from public ip pool and as you suggested we could achieve my requirement through it, pls see below config of internet router and share config example.

----------------------------------------------------------------

interface GigabitEthernet0/0

description ##Primary link##

ip address x.x.x.x 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description ##Backup link##

ip address y.y.y.y 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/2

description ### Public LAN Pool###

ip address 121.118.96.2 255.255.255.192

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

!

router bgp 64512

no synchronization

bgp log-neighbor-changes

network 121.118.96.0 mask 255.255.255.192

neighbor x.x.x.x remote-as 4755

neighbor x.x.x.x update-source GigabitEthernet0/0

neighbor x.x.x.x weight 200

neighbor x.x.x.x prefix-list Out out

neighbor y.y.y.y remote-as 4755

neighbor y.y.y.y update-source GigabitEthernet0/1

neighbor y.y.y.y weight 100

neighbor y.y.y.y prefix-list Out out

ip prefix-list Out seq 5 permit 121.118.96.0/26

ip prefix-list Out seq 10 deny 0.0.0.0/0

----------------------------------------------------------------------------------

Lets take a free ip from pool - 121.118.96.10

ASA ip : 121.118.96.1

Pls share config example on how ip 121.118.96.10 could be reachable via backup link and rest others traffic should not be influnced.

Thanks in Advance.

Hi Anukalp,

You are almost there. You need to change the prefix-list as follow:

ip prefix-list Out seq 5 permit 121.118.96.0/26

ip prefix-list Out seq 10 deny 0.0.0.0/0 le 32 <+++++ Deny any

and you also need to originate the host route.

ip route 121.118.96.10 255.255.255.255 121.118.96.1

router bgp 64512

network 121.118.96.10 mask 255.255.255.255

You should also discuss with you ISP to make sure that they will not filter out the host route. it should not be a problem but you might want to check with them.

Regards

Hi Harold..

Thanks for your help..but i am seeing here one more challenges. Actually i am looking for establishing GRE over IPSec tunnel. If i do nat tunnel source ip with free public ip to tunnel destination ip and other side do NO NAT for this end tunnel source to the destination public ip then will tunnel come up? If i ping tunnel destination ip taking source tunnel ip then will it be pingable.

pls help on this too.

Hi Harold..

Pls suggest if GRE over IPSec tunnel will come up according to your suggested changes by taking a seperate ip out of public pool OR if it possible.

Hi Anukalp,

I am no security or ASA expert but I think the IPsec tunnel should not be natted. It would simply use a separate public IP address as the tunnel source. There is absolutely no need for NAT in this case.

Regards