Solved: Re: Configure VPN to being use for 2nd route to remote destination

ali.rodriguez · ‎02-08-2022

Hi

I need to configure a Site-to-Site VPN from an ASA 5508.

My question is, how do I configure the ASA so that this VPN is used as a second option to reach the remote destination?

The first option will be a router that has MPLS configured to the same remote site.

At the moment there are static routes to remote destinations to redirect traffic from the ASA to the MPLS Router.

Any tips or ideas to configure it correctly?

Regards

Rob Ingram · ‎02-08-2022

@ali.rodriguez you mis-understand the suggest is to use the MPLS.

You create 2 routes, one via the MPLS and the other via the ASA's outside interface (with a higher cost/metric). The first route goes via the MPLS, use that route inconjunction with IP SLA and track object. When the object you track goes down, the route (via the MPLS) is removed, leaving only the route via the ASA's outside interface.

View solution in original post

Rob Ingram · ‎02-08-2022

@ali.rodriguez a couple of options. I assume you've got an MPLS router connected to a Core switch and an ASA also connected to the core switch?

On the core, you could run a routing protocol over the MPLS and a default route via the ASA. When the MPLS is working traffic would be sent via the MPLS router, if the MPLS fails the routes learnt dynamically would be removed from the routing table and traffic would be routed to the ASA and subsequently encrypted over a VPN tunnel.

Alternatively on the core switch you could define 2 static default routes with IP SLA and a track to prefer one route over the other, if that fails the route would be removed and traffic would be sent to the ASA.

ali.rodriguez · ‎02-08-2022

Thanks for Reply Rob.

I would like to apply this configuration that you said:
"Alternatively on the core switch you could define 2 static default routes with IP SLA and a track to prefer one route over the other, if that fails the route would be removed and traffic would be sent to the ASA."

Only that I have the detail that the MPLS Router and ASA are directly connected, how could I apply the static routes for this case.

Regards!

Rob Ingram · ‎02-08-2022

@ali.rodriguez you mean the MPLS is connected to the ASA? so the ASA has a connection for inside, MPLS and outside (internet)?

If so run IP SLA and tracking on the ASA, track a static route via the MPLS as primary, if that fails it would remove that route and traffic would be sent via the outside interface.

ali.rodriguez · ‎02-08-2022

ASA is connected to the Router (it has MPLS) through an internal interface. ASA has the outside interface for internet access.

I could configure a static route with a higher value in the ASA on the outside interface so that the traffic is sent to the Router instead of going through the ASA VPN Tunnel. Did I understand correctly?

If I configure it this way, in that static route of the outside, what destination would I put?
route 0 0 ?

Rob Ingram · ‎02-08-2022

@ali.rodriguez please provide a diagram so we can understand your topology.

ali.rodriguez · ‎02-08-2022

I share my topology in the following image, the models are representative, it really is an ASA 5508.

Rob Ingram · ‎02-08-2022

@ali.rodriguez on each ASA configure a static route(s) via the MPLS, with IP SLA and track object (ping something) when the ping drops, that route will be removed from the route table. You will then have another route via the outside interface for traffic to be routed over the VPN.

ali.rodriguez · ‎02-08-2022

Thanks for the explanation Rob. Will there be any way to use the MPLS route instead of the VPN as the 1st option?

Rob Ingram · ‎02-08-2022

@ali.rodriguez you mis-understand the suggest is to use the MPLS.

You create 2 routes, one via the MPLS and the other via the ASA's outside interface (with a higher cost/metric). The first route goes via the MPLS, use that route inconjunction with IP SLA and track object. When the object you track goes down, the route (via the MPLS) is removed, leaving only the route via the ASA's outside interface.

ali.rodriguez · ‎02-08-2022

Okay Rob, thank you so much, I finally understand what you said and I like it. So for example the commands that I would use are something like this:

#MPLS - inside interface
route mpls 0.0.0.0 0.0.0.0 192.168.10.1 1 track 1

#VPN tunnel
route outside 0.0.0.0 0.0.0.0 {?} 254

I just have the question of how to make the static route of the vpn, what IP should I put there?

Rob Ingram · ‎02-08-2022

@ali.rodriguez well looking at your diagram again, the ASA only has 1 interface.

You'd need connect another interface to both ASA for the outside interface, then define the ip address as the next hop, that can route between the 2 ASAs.

MHM Cisco World · ‎02-08-2022

from my view,
Core support the routing protocol? if yes then
then config the Core to prefer the ISP MPLS router when the router can pass traffic
the Core will prefer the ASA to pass traffic when the router can not pass traffic.

note1 the ASA will receive and forward traffic via tunnel when it receive the traffic from Core.
note2 the blackhole may accrue if other site still use ISP MPLS router not ASA.

ali.rodriguez · ‎02-09-2022

Thanks for reply

Only that in my topology I do not have a core switch, several switches are connected to the ASA and the ASA to the Router that has MPLS.

I already saw the solution of the static routes in the ASA but in the route that will send the traffic through VPN I don't know which IP is going to be the next hop.

#MPLS - inside interface
route mpls 0.0.0.0 0.0.0.0 192.168.10.1 1 track 1

#VPN tunnel
route outside 0.0.0.0 0.0.0.0 {?} 254

MHM Cisco World · ‎02-09-2022

ASA is the default router for all subnet,
ASA connect to your edge router "which is connect to SP MPLS"
Edge router receive the prefix from the Site-B and advertise it to ASA via routing protocol or you config static route in ASA?

Edge router have the MPLS capability not the ASA.