Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
2
Replies

VPN with Backup Point to Point Connection

steven.dolan
Level 1
Level 1

‎02-13-2015 02:36 PM - edited ‎03-05-2019 12:47 AM

I have an interesting setup where I would like to do the following:

*note that I am using two ASA 5505's, Network Diagram is attached

 

There are two sites (A & B).  

 

From Site A, I would like any traffic going to the 192.168.100.0 network to pass through the VPN tunnel.

From Site B, I would like any traffic going to the 192.168.200.0 network to pass through the VPN tunnel.

For the ASA in both sites, this is over the outside interface (0/0).

This configuration has not been a problem for me, as I specified the local and remote traffic and specified the peer on each ASA (10.247.20.2, 10.247.40.2).  Traffic passes through the VPN tunnel just fine.

 

If for any reason this VPN tunnel goes down (for instance, let's say Site B loses connection to 10.247.40.1), I would like traffic going to the 192.168.200.0/24 network to pass over the point-to-point connection.  This traffic does not have to be encrypted and a VPN tunnel is not needed.

Could anyone give me any suggestions on how to set this up? Let's say the the ASA in Site B loses connection to 10.247.40.1 and decides to use the P2P connection.  How does the firewall in Site A know to also start using the P2P connection for this traffic?

 

 

 

Labels:
Preview file
108 KB
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎02-13-2015 04:59 PM

If you are using static route for the VPNs and the point-to-point circuit, you can use a static route towards the point-to-point circuit with higher admin distance.  This way when the next-hop towards the VPN goes down you can use the point-to-point.

Is there a reason for not using the point-to-point as your primary?  Usually point-to-point circuits are more stable and cost more than VPNs and VPNs are used for backup.

HTH

0 Helpful

steven.dolan
Level 1
Level 1
In response to Reza Sharifi

‎02-13-2015 08:22 PM

Our VPN connection will have much more bandwidth than the point-to-point.  It's a case where we upgraded to a new circuit but want to keep the point-to-point as an emergency backup.

If one site were to lose its link and then switch to the backup, how would the other site know to also switch?

I've seen some examples of setups somewhat similar to what I'm trying to do. There have been cases where SLA monitoring is used, etc.  Is this something that you would recommend?

In situations where one site only has 1 ISP (or outgoing path to the other site), it seems to be much more simple.  In that case, if one path goes down, it then uses the other ISP connection.  

However, in my case, I need them both at the same time to know to use either the VPN route or the point-to-point route.

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card