Hairpin Inet + Site to Site VPN + MPLS WAN + EIGRP scenario problem
I am trying to use our ASA pair at our main datacenter as the Internet hub for all our remote sites that hit it over our MPLS WAN as well as a site to site VPN hub hairpinning the Inet traffic. This is all dynamically routed using EIGRP and GRE tunnels.
For traffic destined for the Internet coming over the WAN to the datacenter it will go out the Internet link on the ASA. The ASA has a route on the inside interface for the remote sites /16 address. When that link fails though it still has the static route for the /16 on the inside interface so when our router sees the remote sites through the ASA with the site to site tunnel and not across the WAN the traffic will not route over that ASA.
I have tried to route the traffic on the ASA by having the identity NAT statement select the egress interface and then putting in another static for that same /16 on the outside interface with adminstrative distance of 2, but that is failing for me as well.
It seems that I am limited on the capabilities of the ASA. The only "solution" I can think of would be IP SLA on the ASA, but I'm hoping there's a more elegant way to do this.
Threat Response Basics
What is Threat Response and how can it help my organization?
What is the cost of Threat Response?
What are the deployment options for Threat Response?
Is Threat Response available outside of the United States?
Gartner has once again named Cisco a Leader in the Magic Quadrant for Network Firewalls. This distinction recognizes Cisco's ingenuity in redefining the firewall as the basis for an integrated security platform.
Find out how Cisco stands out from the comp...
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...