Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
25
Helpful
4
Replies

all traffic from branch

Go to solution
pcromwell
Level 3
Level 3

‎02-25-2019 10:52 PM

We have a Cisco router at branch office with a site to site VPN connection that terminates at HQ on an ASA. Internet traffic has been breaking out at the local branch router. This all works fine. We have just added a Layer 2 link to the branch router and that is now the primary link back to HQ, all traffic including internet now goes across this link and nat is performed at HQ

What we want to do is have the VPN link as a failover in case the Layer 2 goes down.  We would need all traffic including internet connections to go across the VPN. I am not sure how to get all traffic across the VPN. I did try doing ip any any on the acl for the VPN but that failed. I am guessing it is my default route that will need to be changed, but the VPN doesn't have an interface associated. does anyone have any ideas?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎02-26-2019 01:23 AM

As usual, there is more than one way to solve this.

It will be much easier when you convert your VPN to a route-based VPN which is supported in IOS for many years. With that, you have a tunnel-interface representing your VPN.

Next, if you do not want to break out internet-traffic locally, add a static /32 route to the HQ VPN-gateway. With that you can have routed "any" through your VPN and still have your route to the VPN-peer.

View solution in original post

4 Replies 4

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎02-25-2019 11:15 PM

Hi,

The default route destination interface will be assigned your WAN interface port ID as

 

IP route 0.0.0.0 0.0.0.0 gig1/0 

Here, Gig1/0 will be your backup ISP. 

 

But You can use the IPSLA and Track to change the priority and add or remove the route from the routing table.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
pcromwell
Level 3
Level 3
In response to Deepak Kumar

‎02-26-2019 11:29 AM

Hi Deepak, I have got IP SLA in place and it works fine, trouble is I need all traffic to go over VPN when failied over

Go to solution
Karsten Iwen
VIP
VIP

‎02-26-2019 01:23 AM

As usual, there is more than one way to solve this.

It will be much easier when you convert your VPN to a route-based VPN which is supported in IOS for many years. With that, you have a tunnel-interface representing your VPN.

Next, if you do not want to break out internet-traffic locally, add a static /32 route to the HQ VPN-gateway. With that you can have routed "any" through your VPN and still have your route to the VPN-peer.

Go to solution
pcromwell
Level 3
Level 3
In response to Karsten Iwen

‎02-26-2019 11:28 AM

many thanks, for the replies, I will give route based a go

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents