04-06-2009 03:45 PM - edited 03-04-2019 04:16 AM
Hi folks:
First, let me state that I'm not a CISCO Hands on Expert. I am trying to architect what appears to be a means for dealing with a common scenario. I am in need of some assistance in helping guide me a bit.
We have several small branch offices that have a router with private point-to-point connectivity as well as an internet router that provides internet access.
our goal is to attempt to create an IPSEC VPN (Site-to-Site) back to a corporate ASA-5510 at our data center using the INTERNET medium to access our private network. We also want to use the private point-to-point connection to connect as a last resort should the primary (IPSEC VPN) fail.
So we've got a 2800 series router and have setup a static Site-to-Site VPN to our ASA-5510 at the corporate router.
At the client site, this 2800 series router uses the Internet Medium (DSL)as the primary medium.
The 2800 has multiple WAN ports and we've hooked up that router and configured a private Point-to-Point address on it.
SO the question comes down to how to setup routing to use the VPN route FIRST as the primary route, and then use the Point to Point as the backup route.
I was thinking somehow that EIGRP is the answer, but i'm not sure.
So i need some guidance. What technologies or protocols can you folks guide me to that helps me accomplish this.
This is a single router with multiple WAN ports. I was looking at HSRP, but i don't have another router in play at the client site.
What i'm trying to establish is a routing table / protocal that re-routes traffic should the VPN go down over the OTHER Fast Ethernet WAN interface.
I'm worried about bringing up EIGRP because I don't want to cause routing loops inadvertently as this is not my area of "hands on" expertise.
I don't even know if this is the right protocol (EIGRP) to do the job.
The goal isn't to provide redundant ROUTERS, but redundant ROUTES to the destination (our corporate data center).
Any guidance, terms, insights into appropriate protocols, links, would be greatly appreciated.
To me, this seems so trivial. but i'm not familiar enough from a hands on basis to make this happen.
i appreciate any and all guidance you are willing to provide.
04-06-2009 06:21 PM
Hi,
Don't worry, that's why the forum is here ;-)
How did you configure your IPSec VPN ? Did you use GRE tunnel encrypted by IPSec or just a crypto map on the Internet WAN interface ?
It's important because you can't use a dynamic routing protocol like EIGRP with crypto map.
If you used GRE tunnel, EIGRP is a good choise because it's easy to configure and converge quickly.
Let me know and we will continue from there
HTH
Laurent.
04-07-2009 12:07 PM
Hi Laurent:
A previous Cisco COntractor set up the tunnel using a crypto map.
I was trying to read up a little on using GRE, and we do have EIGRP setup on much of our private network.
Our ASA-5510 with the IPS module is about six months old. we had a VAR install and configure it, then had one of their techs bring up our first "hub and spoke" IPSEC VPN from an 1811 at a branch office. I'm positive that config is using CRYPTO MAP.
Now I have a different 1811 at a site that i want to put in redundant interfaces on. This site has a (SLOW) frame relay network that connects directly to our corporate data center. But this site also has a high-speed internet connection.
So we want to use an IPSEC VPN over the higher speed data medium for better performance while leaving the slow (but cheap) Point to Point connection as a fail over route should the VPN go down.
(in the future, we will probably put in 2800 routers at the client site with a 3G card as a backup route, but this is just a concept at this point and may not fly as Verizon/AT&T have highway robbery plans for cellphone data plans.)
Anyways, i hope the info i've provided gives some greater insight.
so do you think at this point that an IPSEC with GRE is the right way to go?
Honestly, not being a pure cisco hands on guy, i would've thought that routing redundancy within a router would have been a bit simpler, but this is a learning experience for me.
it seems like EIGRP/GRE may be the right answer. i would have thought that redundant routing would be a very common configuration. but like i said, i'm not quite a cisco "hands on" guru.
thanks for your help Laurent!
04-07-2009 05:17 PM
Hi,
Thanks for the update. The ASA doesn't support GRE so you can't take that way which makes the solution more complicated.
On the hub site where you have the ASA and the frame-relay router, you need a routing protocol so other routers could choose between the route announce from the FR router and the route announce from the ASA.
As we can't have a routing protocol inside the IPSec tunnel, you could use RRI feature (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml)
to generate the route. IKE keepalive are on by default on the ASA (http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i3_711.html#wp1670777), I'm expecting the route to disappear if the the remote peer is not reachable anymore. Last thing on the hub site is the ASA must announce this route with a better metric if you want to use the IPSec tunnel as the nominal path.
Now on the remote site, I would configure a default route pointing to the internet with a tracking object pinging the ASA (http://www.cisco.com/en/US/docs/ios/dial/configuration/guide/dia_rel_stc_rtg_bckup_ps6350_TSD_Products_Configuration_Guide_Chapter.html)
Also add a floating static routing pointing to the FR interface if there is no dynamic routing protocol on this path.
HTH
Laurent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide