I recently came across this scenario at my network we had MPLS network connecting our HQ to DR site and internet link terminating on ASAs
We need to use this internet link to be auto failover for the MPLS in case the MPLS went down for any reason.
I did some research I couldn't find clear documentation on the internet explain this, So I did this document I which it could be helpful for others.
First I had the MPLS over BGP and locally I'm using EIGRP protocol between the Routers, Switches and ASAs together, So my problem was the static route injected on the routing protocols when a site to site VPN tunnel established between the 2 ASAs.
So I worked with Cisco TAC on this issue till we realized that we have to issue command no reverse-route under the crypto map.
#no crypto map OUTSIDE-map 1 set reverse-route
to don't inject the static routes without the tunnel is established.
Now the tunnel will stay down in case no interesting traffic and once the BGP link (MPLS) went down the IPSec tunnel will automatically send interesting traffic to the tunnel depending on the ACL you created had the MPLS IP address on it so the configuration will be as below to create auto failover site to site vpn over ASA version 9.6:
First ASA At the DR Site:
access-list MPLS-ACL1 extended permit ip object-group LOCAL-Network object-group All-Branches
crypto map OUTSIDE-map 1 match address MPLS-ACL1 crypto map OUTSIDE-map 1 set pfs crypto map OUTSIDE-map 1 set peer X.X.X.X(HQ Public IP) crypto map OUTSIDE-map 1 set ikev1 transform-set ****(Transform Set Name) crypto map OUTSIDE-map 1 set security-association lifetime seconds 86400
tunnel-group X.X.X.X(HQ Public IP) type ipsec-l2l tunnel-group X.X.X.X(HQ Public IP) ipsec-attributes ikev1 pre-shared-key *****
Second ASA At the HQ Site:
access-list MPLS-ACL2 extended permit ip object-group All-Branches object-group DR-Network
crypto map OUTSIDE_map 8 match address MPLS-ACL2 crypto map OUTSIDE_map 8set pfs crypto map OUTSIDE_map 8 set peer X.X.X.X(DR Public IP) crypto map OUTSIDE_map 8set ikev1 transform-set ****(Transform Set Name) crypto map OUTSIDE_map 8 set security-association lifetime seconds 86400
tunnel-group X.X.X.X(DR Public IP) type ipsec-l2l tunnel-group X.X.X.X(DR Public IP) ipsec-attributes ikev1 pre-shared-key *****
Hi I need some help in creating that ACL on Cisco multilayer switch. 1) I want to allow all traffic between these subnets10.75.0.0/22 ------ 10.0.0.0/8 2)) I want to allow only http traffic and block the remaining traffic between the following s...
Is it possible to do something like this, where a sponsor on-boards a guest using the sponsor portal hence allocating an account with username/password. Where the guest then uses the credentials that was created by the sponsor to connect to the guest SSID...
Hi Guys, I need some help, i am deploying BYOD for andriod and i need to know the ip address for teh google play which should be allowed to download app. I am not able to find out all the ip address which is required. Thanks
Hello everyone, I am happy that I joined this community. I know that this is the best place to learn and help people, but at this moment I need some help because it's very urgent. I have 2 ASA 5505 connected by an interface. The interface is to ...
Hi experts, Doing some research for a customer's project. I found that ISE does not contains any posture remediation actions for Crowdstrike software (please see attachment). I've check both the AntiMalware and AntiVirus remediation options and didn'...