12-20-2011 01:42 PM - edited 03-04-2019 02:42 PM
Hi,
Below is my current network setup.
{ INTERNET_1 }======== IPSec Tunnel ========{ INTERNET_2 }
| |
| |
[ASA_1]---[ DMZ_1] [ DMZ_2 ]---[ASA_2]
| |
| |
| |
[L3_SW_1]------------- 1 Gb Fiber -------------[ L3_SW_2 ]
OSPF and static routing is used on L3_SW_1 and L3_SW_2, while static routing is only used on ASA_1 and ASA_2. How can I use the IPSec Tunnel configured on the ASA's as a backup path in case the fiber link goes down? I would like to avoid using OSPF on ASA's as per security recommendations, however is this possible? I'm having trouble coming up with the proper routing to do this. L3_SW_1 has 2 static routes, one for the internet and one for the DMZ_1 and ASA_1 has static routes for packets destined to go back to L3_SW_1, so I find myself in a loop when trying to add a second route on L3_SW_1 to ASA_1 since ASA_1 has a static route to go back to L3_SW_1. Any recommendations would be much appreciated. Thank you
-- Matteo
Solved! Go to Solution.
12-20-2011 02:50 PM
That is the basic requirement for any dynamic routing protocol, you will also have recursive routing. The tunnel endpoints MUST not be advertised into any routing protocol, they MUST be static or you can never 100% say the path the tunnel will take. With statics, you will know it will always be via the IPSEC VPN. Then you can run the OPSF "inside" the GRE tunnel with no issues.
12-20-2011 01:47 PM
Create a GRE tunnel from L3_SW_1 to L3_SW_2 that traverses the IPSEC tunnel. The source and destinations for the GRE tunnel are 2 x /32 Loopback interfaces, that are statically routed to the ASA's.
You can run any dynamic routing protocol over the 1 GB fibre and the GRE tunnel as backup. You just amend the route metrics for whichever routing protocol you use. I do this using OSPF/EIGRP in a 250+ site network.
HTH>
12-20-2011 02:03 PM
Thanks Andrew, I will try what you said.
I did try the example here
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
but everytime I would publish the Loopbacks in OSPF it would tunnel over the fiber since it would learn about the other side. So I guess 2 x loopbacks per L3_SW should not be published in OSPF and only create a static routes to the ASA like you said.
--Matteo
12-20-2011 02:50 PM
That is the basic requirement for any dynamic routing protocol, you will also have recursive routing. The tunnel endpoints MUST not be advertised into any routing protocol, they MUST be static or you can never 100% say the path the tunnel will take. With statics, you will know it will always be via the IPSEC VPN. Then you can run the OPSF "inside" the GRE tunnel with no issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide