Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14490
Views
0
Helpful
4
Replies

Site-to-Site VPN with dynamic routing on ASAs

Go to solution
cbse120109
Level 1
Level 1

‎09-19-2011 11:39 PM

I am planning a backup connection to a main site if our primary link goes down via two ASAs using a site to site vpn.

This is what I have come up with so far and just need to work through some best practice and questions.

##Regular Connectivity, and Internet Traffic flows ">>>>Primary_Internet"

Backup_Internet--ASA--CoreA--Router-->>Private_Wan<<--Router--CoreB--ASA--Primary_Internet

?? if Private_Wan link down, use l2l VPN via ASA over internet to connect sites

x--Router--CoreA--ASA-->>l2l VPN<<--ASA--CoreB--Router--x

?? once link is available, the preferred path over the Private Wan should be used.

A few questions,

1. Can I run a routing protocol over the l2l VPN? VTI, GRE?

2. If I do pick OSPF or EIGRP, will redistibuting the static last resort from each ASA work?

3. When running l2l VPNs, using "show route" doesn't show the routes available over the vpn, only "show crypto ipsec sa" shows info. Is this correct? If so how would metrics work for the learned routes if all links are up and there are multiple paths to the same subnet?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cbse120109

‎09-21-2011 02:32 AM

Welllll,

2) I would keep it as simple as possible, you can put all VPN in a NSSA maybe, if your ASA is touching BB.

3) RRI on ASA is inserting static routes always, it's not the best way to generate backup.

Marcin

View solution in original post

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎09-21-2011 02:40 AM

Hi,

You can also run OSPF with unicast neighbor over your IPSEC tunnel on the ASA. You can check this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Skip the ASDM screens (or not), you have the config at the end.

Regards,

Bastien

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-20-2011 04:09 AM 

A few questions,
1. Can I run a routing protocol over the l2l VPN? VTI, GRE?
2. If I do pick OSPF or EIGRP, will redistibuting the static last resort from each ASA work?
3. When running l2l VPNs, using "show route" doesn't show the routes available over the vpn, only "show crypto ipsec sa" shows info. Is this correct? If so how would metrics work for the learned routes if all links are up and there are multiple paths to the same subnet?

Hi,

1) You can run, OSPF over pure IPsec (point to multipoint interface type required). ASA does not support any virtual interfaces sadly.

2) Use OSPF ;-)

3) If you chose to run RRI, you will have static routes inserted. If not by default ASA is not ptuuing anything in the routing table.

HTH,

Marcin

0 Helpful

Go to solution
cbse120109
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-20-2011 07:51 PM

Great,

1) I will test point to multipoint interface in my lab.

2) OSPF it is as we will add in non cisco devices. Any thoughts of just using one area or three areas?

3) If I do use RRI and redistribute the static connections from the backup ASA, will it be the preferred route or can I change the metric of the VPN static routes.

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cbse120109

‎09-21-2011 02:32 AM

Welllll,

2) I would keep it as simple as possible, you can put all VPN in a NSSA maybe, if your ASA is touching BB.

3) RRI on ASA is inserting static routes always, it's not the best way to generate backup.

Marcin

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎09-21-2011 02:40 AM

Hi,

You can also run OSPF with unicast neighbor over your IPSEC tunnel on the ASA. You can check this document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Skip the ASDM screens (or not), you have the config at the end.

Regards,

Bastien

0 Helpful
Customers Also Viewed These Support Documents