Thinking about this remote access solution

Answered Question
Nov 12th, 2007
User Badges:
  • Purple, 4500 points or more

Net Pros,


I need some guidance. Please see attachment for a drawing.


I am in the planning stages of this design and I am wondering if/how this would work.


I need for network A and B to talk, with the option of failover to a backup route. This primary/backup would be a leased line and VPN over the internet respectively.


My thought so far, is to implement EIGRP between the two security devices, but I'm not entirely sure that will work for the internet/vpn side.



Attachment: 
Correct Answer by diasporia about 9 years 5 months ago

The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel interfaces is less than that on your pt-to-pt primary int. Use acl's to prevent routing loops that would otherwise occur in this setup.


If you absolutely must use the ASA's to terminate your ipsec enpoints, and also want to route over this tunnel you can you RIP or OSPF to exchange *UNICAST* updates. It is not that pure ipsec tunnels cannot carry routing updates: they cannot be multicast updates(which is what updates are by default) I don't recommend using EIGRP unicast...it can be made to work but is tricky.

Correct Answer by Danilo Dy about 9 years 5 months ago

Hi,


Floating static route should be fine.


However, it will not automatically failover. Between ASA in SiteA and Site-B thru primary link is three segments and thru internet is definitely multiple segment. Failure in the segment which is not directly connected to the firewall will not trigger failover. Failure in the segment which is directly connected to one ASA will only trigger failover in that site but no the other site.


Suggest you use GRE thru primary link and GRE over IPSEC thru internet and route the network thru GRE. Failure in any segment will bring the GRE down which in turn trigger auto failover.


Regards,

Dandy

Correct Answer by allan.thomas about 9 years 5 months ago

In additional to the good information provided in the previous post one other aspect which you may wish to consider is adding connection delay to bringing you backup link?


The Dialer Watch Connect Delay feature introduces the ability to configure a delay in bringing up a secondary link when a primary link that is monitored by Dialer Watch goes down and is removed from the routing table. Previously, the router would instantly dial a secondary route without allowing time for the primary route to come back up. When the Dialer Watch Connect Delay feature is configured, the router will check for availability of the primary link at the end of the specified delay time before dialing the secondary link.


The above information was taken from the following link, please take a look when you have an opportunity:-


http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454ff6.html


Hope this helps.

Regards

Allan.

Correct Answer by diasporia about 9 years 5 months ago

connect the ASA's using a site-to-site VPN Tunnel(pure ipsec)...interesting traffic explicitly mentioned in the crypto-acls that mirror each other. and you will also need static routes (route inside.....)so inbound tunnel traffic knows how to get back to the router(assuming the ASA is being used for unencrypted internet bound traffcic as well. If not, just a default route in the ASA to the inside will work.

on the routers terminating the leased line, you can use two floating default routes that include the int. via which the next hop has to be reached. assign the default route to the firewall a higher(200 as an example)


Correct Answer by lgijssel about 9 years 6 months ago

This will surely work. There is no need to run eigrp over the backup link. Running eigrp for the leased line with floating static routes will do the job perfectly. Please refer to the example below:

http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml

This is for an FR-link as primary but routing-wise it is still a perfect example of what must be configured.


regards,

Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (5 ratings)
Loading.
Correct Answer
lgijssel Mon, 11/12/2007 - 09:22
User Badges:
  • Red, 2250 points or more

This will surely work. There is no need to run eigrp over the backup link. Running eigrp for the leased line with floating static routes will do the job perfectly. Please refer to the example below:

http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml

This is for an FR-link as primary but routing-wise it is still a perfect example of what must be configured.


regards,

Leo

Anthony Holloway Mon, 11/12/2007 - 09:32
User Badges:
  • Purple, 4500 points or more

Thank you for your response.


I am concerned that I am using ASAs and not routers in my setup. Also, what about wanting to use an encrypted tunnel when backing up over the internet link?

Correct Answer
diasporia Wed, 12/12/2007 - 16:50
User Badges:

connect the ASA's using a site-to-site VPN Tunnel(pure ipsec)...interesting traffic explicitly mentioned in the crypto-acls that mirror each other. and you will also need static routes (route inside.....)so inbound tunnel traffic knows how to get back to the router(assuming the ASA is being used for unencrypted internet bound traffcic as well. If not, just a default route in the ASA to the inside will work.

on the routers terminating the leased line, you can use two floating default routes that include the int. via which the next hop has to be reached. assign the default route to the firewall a higher(200 as an example)


Correct Answer
allan.thomas Sat, 12/15/2007 - 10:48
User Badges:
  • Blue, 1500 points or more

In additional to the good information provided in the previous post one other aspect which you may wish to consider is adding connection delay to bringing you backup link?


The Dialer Watch Connect Delay feature introduces the ability to configure a delay in bringing up a secondary link when a primary link that is monitored by Dialer Watch goes down and is removed from the routing table. Previously, the router would instantly dial a secondary route without allowing time for the primary route to come back up. When the Dialer Watch Connect Delay feature is configured, the router will check for availability of the primary link at the end of the specified delay time before dialing the secondary link.


The above information was taken from the following link, please take a look when you have an opportunity:-


http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454ff6.html


Hope this helps.

Regards

Allan.

Correct Answer
Danilo Dy Sun, 12/16/2007 - 03:34
User Badges:
  • Blue, 1500 points or more

Hi,


Floating static route should be fine.


However, it will not automatically failover. Between ASA in SiteA and Site-B thru primary link is three segments and thru internet is definitely multiple segment. Failure in the segment which is not directly connected to the firewall will not trigger failover. Failure in the segment which is directly connected to one ASA will only trigger failover in that site but no the other site.


Suggest you use GRE thru primary link and GRE over IPSEC thru internet and route the network thru GRE. Failure in any segment will bring the GRE down which in turn trigger auto failover.


Regards,

Dandy

Correct Answer
diasporia Mon, 12/17/2007 - 12:49
User Badges:

The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel interfaces is less than that on your pt-to-pt primary int. Use acl's to prevent routing loops that would otherwise occur in this setup.


If you absolutely must use the ASA's to terminate your ipsec enpoints, and also want to route over this tunnel you can you RIP or OSPF to exchange *UNICAST* updates. It is not that pure ipsec tunnels cannot carry routing updates: they cannot be multicast updates(which is what updates are by default) I don't recommend using EIGRP unicast...it can be made to work but is tricky.

Actions

This Discussion