09-19-2008 09:49 AM - edited 03-03-2019 11:37 PM
I have a site that has a single MPLS link to it,I have an ASA firewall out there connected to a DSL internet connection. My question is where can I find a good guide to help me configure routing my router or switch to use the ASA VPN tunnel back to my datacenter if the WAN link goes down.
Thanks for any help.
Mark
09-19-2008 11:40 AM
Hi Mark,
You can failover to VPN using a Static route with higher AD .Let us assume that your network is routing protocol and it has a Dynamic route for remote subnet x.x.x.x. So you can add following static route on internal router.
ip route x.x.x.x y.y.y.y
So when the router looses dynamic route it will install this static route which points traffic towards ASA to VPN.
HTH
Saju
Pls rate helpful posts
09-19-2008 12:32 PM
Thanks Saju, that part at the remote site I understand thanks to your help, but what I need to figure next is in my Datacenter what would I need to do to make sure subnet that comes in over the VPN tunnel goes back out the tunnel and not over the WAN.
09-19-2008 01:06 PM
Hi,
i undetstood that you are looking for the following scenario:
MPLS link is in Cisco Router & VPN Tunnel is in ASA Firewall. So Your requirement is that if MPLS Goes down VPN has to trigger automatically right.
If that is the scenario, Go ahead with the following steps.
it worked for me.
First you have to place a default route in the Router like as follows
ip route InsidelanID subnetmask ASAinterfaceIP
please find the attachement for ASA end Configuration Steps.
Pls Rate me if it help to you
09-19-2008 01:09 PM
Thanks for the document, so say my remote location is 10.97.x.x and the 10.97.x.x is going over the vpn tunnel to my central data center, how will my core switch know not to send the 10.97.x.x out over the MPLS cloud, but back to the VPN tunnel.
12-02-2008 11:37 AM
Hi - am running into a similar situation and did a search on forums and noticed your query. Wondering if you were able to resolve this.
my take is to have a similar static route for the remote site at the DC with a higher admin distance. So, at the remote site - you have a default route with say distance 250 pointing to the remote site firewall which terminates the VPN. And at the DC, you have static routes to the remote site subnets with a high distance pointing to the hub end of the firewall that terminates the vpn.
did you have a similar approach
rgds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide