cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
0
Helpful
5
Replies

ASA5515-X firewall & backup vpn connection between 2 sites

Julie Tupling
Level 1
Level 1

We have 2 ASA 5515-X firewalls one at each location and we have an EVPL between these locations.  

We want to configure a site-to-site vpn to act as a backup connection so if the EVPL goes down the VPN will still provide connectivity between sites. We configured the site-to-site VPN first and it worked we can talk between the sites, but we now have the EVPL in place and we would rather keep the traffic internal and only use VPN over internet if the EVPL is down.  

We configured EIGRP on each ASA but we can't get the routes to show up - it shows the site-to-site VPN connections as static routes but they are not defined as static routes when you look at the routing setup.

Any help would be greatly apprecaited!

Thanks

5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Julie,

Unfortunately EIGRP over VPN is not currently supported. This is
mentioned in our online documentation here (see first note in EIGRP
overview):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1092871

"EIGRP neighbor relationships are not supported through the IPSec tunnel
without a GRE tunnel."

You would need to form a GRE tunnel between routers behind each ASA and
pass EIGRP over that for EIGRP functionality between your sites.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Aditya,

We would like to use the EVPL between the firewalls for connectivity as long as the circuit is up, and if that circuit goes down we would like to have a site-to-site VPN through the internet take over providing connectivity between the locations.  Is there a way to accomplish this using just the ASA 5515-x firewalls?

We do not have to use EIGRP is there is another way to do it. We just used it because it is easy to set up.  

Is there a way we can use a site-to-site VPN as a backup?

Thanks

Julie

Hi Julie,

Yes you can use the site to site as a backup but if you are passing EIGRP over it you would not be able to do it as IPSEC cannot pass multicast traffic.

To overcome this you need to have a GRE over IPSEC setup which I mentioned in my previous post.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Aditya,

Will any routing protocols work with a site-to-site VPN?  If not is there a way to change the administrative distance of static routes that the site-to-site VPN creats so we could use static routes if the EIRGP session is down?  Usually static routes take precedence, but if we could change the AD then it would choose the EIGRP routes unless the circuit fails and then it would take the VPN..

We are just needing to route private networks between the 2 locations.

As I said, we do not have a way to create a GRE tunnel.  

Thanks

Julie

Hi Julie,

Did you configure RRI on the ASA ?

Please check this link:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

You can also check this link:

https://www.petenetlive.com/KB/Article/0001137

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: