backup internet and vpn

asmlicense · ‎11-17-2023

Dear,

we have 140 sites with primary mpls connection from ISP1 with dedicated router in head office as dmvpn hub. and in some of them we have vpn tunnel as a backup through 3g.

with backup 3g option - the branches side has internet from ISP2 and connecting to peer ip of ISP1. vpn configs is located on ASA 5525 and ASA is behind the border router. ASA's outside interface is nated on ibr. ASA's internal interfaces is connected to cisco core.

we need to create new vpn tunnels on branches (with 3g from ISP2) and vpn gateway on head office side with ISP2's public ip.

the idea - if ISP1 totally goes down the sites will be able to connect to head office via backup vpn tunnel (with 3g of ISP2) and get internet access on head office from ISP2. We have empty ASA for this purpose.

i attached logical topology which is now and which is required.

Rob Ingram · ‎11-17-2023

@asmlicense on the remote branch site routers you could configure an EEM script to detect ISP1 link is down and enable the 3G interface, this would subsequently establish a VPN tunnel to head office via ISP2. Once ISP1 link is up again another EEM script can disable the secondary link and failback to the preferred link.

asmlicense · ‎11-17-2023

@Rob Ingramthere is not any problems with current main and backup lines.

we want to backup the internet line of HQ and if ISP1 totally goes down (by totally I mean we lost mpls and internet connection) the current backup will not work because VPN gateway for now is ISP1's public IP.

so we want to backup internet on HQ and then backup network on spoke side.

as I said when ISP goes down the VPN connection on branches (ISP2 3g on spoke side -- ISP2 vpn gateway on HQ side) must come up.

balaji.bandi · ‎11-17-2023

You Looking to alternative connection to be part of DMVPN, just VPN to get Internet access.

you can Build 2 VPN connection on the Branch, use IPSLA to track the connection and Fail over.

you can good exmaple over google how you can do that, still have issue let us know so we can guide you some guides.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asmlicense · ‎11-17-2023

@balaji.bandiactually we don't configure backup internet for HQ yet.

As I understand for the first we need to backup internet connection (purchase 3-4 public ip for nat and 1 as a vpn gateway) and after that we can establish ipsec tunnel with NEW vpn gateway.

Am I right ?

balaji.bandi · ‎11-17-2023

On the HQ if you have Public IP, that can be used for the branch to establish VPN connection.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asmlicense · ‎11-17-2023

Can I backup internet for HQ with home modem with 3g ?

I mean right now ISP1 give us services (data, internet, sip) via vlans which coming to cisco access switch (2960) and then it is separated to specific device (data/sip go to mpls hub; internet to border router).

on which step I be able to use home modem with 3g ?

As I understand I need to connect it to border routers interface and give specific private IP and use home modem as default gateway.

right ?

balaji.bandi · ‎11-17-2023

Can I backup internet for HQ with home modem with 3g ? - if this is your requirement and have static Public IP one side that is possible,

Again depends how you design your routing and testing one site and move to other site as you process the desire outcome.

IPSLA and EEM Script is your way to forward if the main link go down and like to use 3G.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

asmlicense · ‎11-17-2023

It is temporary solution.

for example, I backup HQ internet with 3g (create interface on cisco router) with public ip for internet 9.9.9.9 and VPN gateway with 7.7.7.7 ip. and nat ASA's outside interface (2.2.2.2) theoretically it will work. yes ?

interface GigabitEthernet0/0/0
ip address 7.7.7.7 255.255.255.252 secondary
ip address 9.9.9.9 255.255.255.255
no ip redirects
ip nat outside

MHM Cisco World · ‎11-17-2023

The defualt route via ISP2 must have less than defualt route branch learn from DC (hub).

So only make hub inject defualt route toward beanch using mpls.

And also config NAT for branch in Hub.

asmlicense · ‎11-17-2023

On ASA we have Outside interface (for example, 1.1.1.1) and now I need create the new one with other ip (for example, 2.2.2.2) and then write NAT it to ISP2's public ip (for example, 9.9.9.9) on border router:

MHM Cisco World · ‎11-17-2023

Yes asa can do NAT or hub (DC) can do NATing traffic from branch.

asmlicense · ‎11-18-2023

can we use APN for backup line ?and what we will need to it ?

from provider side - sim card with APN settings, username / password

from our side - cellular interface (we have cisco 4321 in branches, and there are not cellular interface on them, so we can use any home modem like tplink with celullar port). can we use this APN connection for IPsec ? could someone advise how can we do it ? for example, can we create crypto configs and attach them to interface which will connect to tplink.
and what we will need on head office side ? for example, public ip from cellular provider in order all APN connections can connect to it ?