Solved: Re: Configure VPN to being use for 2nd route to remote destination - Page 2

ali.rodriguez · ‎02-08-2022

Hi

I need to configure a Site-to-Site VPN from an ASA 5508.

My question is, how do I configure the ASA so that this VPN is used as a second option to reach the remote destination?

The first option will be a router that has MPLS configured to the same remote site.

At the moment there are static routes to remote destinations to redirect traffic from the ASA to the MPLS Router.

Any tips or ideas to configure it correctly?

Regards

ali.rodriguez · ‎02-09-2022

@MHM Cisco World wrote:
ASA is the default router for all subnet,
ASA connect to your edge router "which is connect to SP MPLS"
Edge router receive the prefix from the Site-B and advertise it to ASA via routing protocol or you config static route in ASA?

Edge router have the MPLS capability not the ASA.

It is correct, at the moment all the traffic is reaching the Router that has the MPLS connection. But as soon as the VPN between ASAs A and B is configured there will be two ways to reach the remote site (VPN and MPLS).
Currently in the ASA there are static routes to send the traffic to the Router that has MPLS.
I suppose that as soon as the VPN is registered, the traffic will go through the VPN due to a shorter route.
My goal is that MPLS be taken as the 1st option and VPN as the 2nd option to transport the traffic.

Rob Ingram · ‎02-09-2022

@ali.rodriguez your goal is understood, but on the ASA you've only got 1 interface (on your diagram), which connects to the MPLS. You need another interface to connect the ASA's that doesn't go via the MPLS. Your design will never work if the ASA's don't have another path to communicate with each other.

ali.rodriguez · ‎02-09-2022

My ASA have 2 interface:

1. internal interface that connects to the Router that has the MPLS connection
2. interface outside with public IP that connects the VPN to the remote ASA.

Rob Ingram · ‎02-09-2022

@ali.rodriguez wrote:

Currently in the ASA there are static routes to send the traffic to the Router that has MPLS.
I suppose that as soon as the VPN is registered, the traffic will go through the VPN due to a shorter route.
My goal is that MPLS be taken as the 1st option and VPN as the 2nd option to transport the traffic.

Refer to the answer you marked as the solution. The traffic will go over the MPLS link (as per your requirement). You create 2 routes, one via the MPLS and the other via the ASA's outside interface (with a higher cost/metric). The first route goes via the MPLS, use that route inconjunction with IP SLA and track object. When the object you track goes down, the route (via the MPLS) is removed, leaving only the route via the ASA's outside interface.

Traffic will only be routed via the ASAs outside interface over a VPN if the MPLS is down.

MHM Cisco World · ‎02-09-2022

Becuase vpn s2s is policy not route vpn,

You can config the vti in asa and config static route with high AD through vti tunnel, and another static route with lower AD toward the edge router,

This make asa select path through edge router not through vti.

ali.rodriguez · ‎02-09-2022

Thanks, to route through vti, is it configured with the public IP or how?

#MPLS - inside interface
route mpls 0.0.0.0 0.0.0.0 192.168.10.1 1 track 1

#VPN tunnel
route outside 0.0.0.0 0.0.0.0 {Public IP ASA outside} 254

MHM Cisco World · ‎02-09-2022

route MPLS SiteB net mask router edge track 1
!
route outside 0.0.0.0 0.0.0.0 ISP public ip <- need to route the destination for the VTI
!
route VTI SiteB net mask VTI IP of other Peer

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html