I need some guidance. Please see attachment for a drawing.
I am in the planning stages of this design and I am wondering if/how this would work.
I need for network A and B to talk, with the option of failover to a backup route. This primary/backup would be a leased line and VPN over the internet respectively.
My thought so far, is to implement EIGRP between the two security devices, but I'm not entirely sure that will work for the internet/vpn side.
The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel interfaces is less than that on your pt-to-pt primary int. Use acl's to prevent routing loops that would otherwise occur in this setup.
If you absolutely must use the ASA's to terminate your ipsec enpoints, and also want to route over this tunnel you can you RIP or OSPF to exchange *UNICAST* updates. It is not that pure ipsec tunnels cannot carry routing updates: they cannot be multicast updates(which is what updates are by default) I don't recommend using EIGRP unicast...it can be made to work but is tricky.
Floating static route should be fine.
However, it will not automatically failover. Between ASA in SiteA and Site-B thru primary link is three segments and thru internet is definitely multiple segment. Failure in the segment which is not directly connected to the firewall will not trigger failover. Failure in the segment which is directly connected to one ASA will only trigger failover in that site but no the other site.
Suggest you use GRE thru primary link and GRE over IPSEC thru internet and route the network thru GRE. Failure in any segment will bring the GRE down which in turn trigger auto failover.
In additional to the good information provided in the previous post one other aspect which you may wish to consider is adding connection delay to bringing you backup link?
The Dialer Watch Connect Delay feature introduces the ability to configure a delay in bringing up a secondary link when a primary link that is monitored by Dialer Watch goes down and is removed from the routing table. Previously, the router would instantly dial a secondary route without allowing time for the primary route to come back up. When the Dialer Watch Connect Delay feature is configured, the router will check for availability of the primary link at the end of the specified delay time before dialing the secondary link.
The above information was taken from the following link, please take a look when you have an opportunity:-
Hope this helps.
connect the ASA's using a site-to-site VPN Tunnel(pure ipsec)...interesting traffic explicitly mentioned in the crypto-acls that mirror each other. and you will also need static routes (route inside.....)so inbound tunnel traffic knows how to get back to the router(assuming the ASA is being used for unencrypted internet bound traffcic as well. If not, just a default route in the ASA to the inside will work.
on the routers terminating the leased line, you can use two floating default routes that include the int. via which the next hop has to be reached. assign the default route to the firewall a higher(200 as an example)
This will surely work. There is no need to run eigrp over the backup link. Running eigrp for the leased line with floating static routes will do the job perfectly. Please refer to the example below:
This is for an FR-link as primary but routing-wise it is still a perfect example of what must be configured.