cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11762
Views
0
Helpful
4
Replies
Highlighted
Beginner

Site-to-Site VPN with dynamic routing on ASAs

I am planning a backup connection to a main site if our primary link goes down via two ASAs using a site to site vpn.

This is what I have come up with so far and just need to work through some best practice and questions.

##Regular Connectivity, and Internet Traffic flows ">>>>Primary_Internet"

Backup_Internet--ASA--CoreA--Router-->>Private_Wan<<--Router--CoreB--ASA--Primary_Internet

?? if Private_Wan link down, use l2l VPN via ASA over internet to connect sites

x--Router--CoreA--ASA-->>l2l VPN<<--ASA--CoreB--Router--x

?? once link is available, the preferred path over the Private Wan should be used.

A few questions,

1. Can I run a routing protocol over the l2l VPN? VTI, GRE?

2. If I do pick OSPF or EIGRP, will redistibuting the static last resort from each ASA work?

3. When running l2l VPNs, using "show route" doesn't show the routes available over the vpn, only "show crypto ipsec sa" shows info. Is this correct? If so how would metrics work for the learned routes if all links are up and there are multiple paths to the same subnet?

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Site-to-Site VPN with dynamic routing on ASAs

Welllll,

2) I would keep it as simple as possible, you can put all VPN in a NSSA maybe, if your ASA is touching BB.

3) RRI on ASA is inserting static routes always, it's not the best way to generate backup.

Marcin

View solution in original post

Highlighted
Cisco Employee

Site-to-Site VPN with dynamic routing on ASAs

Hi,

You can also run OSPF with unicast neighbor over your IPSEC tunnel on the ASA. You can check this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Skip the ASDM screens (or not), you have the config at the end.

Regards,

Bastien

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Site-to-Site VPN with dynamic routing on ASAs

A few questions,

1. Can I run a routing protocol over the l2l VPN? VTI, GRE?

2. If I do pick OSPF or EIGRP, will redistibuting the static last resort from each ASA work?

3. When running l2l VPNs, using "show route" doesn't show the routes available over the vpn, only "show crypto ipsec sa" shows info. Is this correct? If so how would metrics work for the learned routes if all links are up and there are multiple paths to the same subnet?

Hi,

1) You can run, OSPF over pure IPsec (point to multipoint interface type required). ASA does not support any virtual interfaces sadly.

2) Use OSPF ;-)

3) If you chose to run RRI, you will have static routes inserted. If not by default ASA is not ptuuing anything in the routing table.

HTH,

Marcin

Highlighted
Beginner

Site-to-Site VPN with dynamic routing on ASAs

Great,

1) I will test point to multipoint interface in my lab.

2) OSPF it is as we will add in non cisco devices. Any thoughts of just using one area or three areas?

3) If I do use RRI and redistribute the static connections from the backup ASA, will it be the preferred route or can I change the metric of the VPN static routes.

Highlighted
Cisco Employee

Site-to-Site VPN with dynamic routing on ASAs

Welllll,

2) I would keep it as simple as possible, you can put all VPN in a NSSA maybe, if your ASA is touching BB.

3) RRI on ASA is inserting static routes always, it's not the best way to generate backup.

Marcin

View solution in original post

Highlighted
Cisco Employee

Site-to-Site VPN with dynamic routing on ASAs

Hi,

You can also run OSPF with unicast neighbor over your IPSEC tunnel on the ASA. You can check this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Skip the ASDM screens (or not), you have the config at the end.

Regards,

Bastien

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here