cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
827
Views
0
Helpful
6
Replies

Thinking about this remote access solution

Anthony Holloway
Cisco Employee
Cisco Employee

Net Pros,

I need some guidance. Please see attachment for a drawing.

I am in the planning stages of this design and I am wondering if/how this would work.

I need for network A and B to talk, with the option of failover to a backup route. This primary/backup would be a leased line and VPN over the internet respectively.

My thought so far, is to implement EIGRP between the two security devices, but I'm not entirely sure that will work for the internet/vpn side.

5 Accepted Solutions

Accepted Solutions

lgijssel
Level 9
Level 9

This will surely work. There is no need to run eigrp over the backup link. Running eigrp for the leased line with floating static routes will do the job perfectly. Please refer to the example below:

http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml

This is for an FR-link as primary but routing-wise it is still a perfect example of what must be configured.

regards,

Leo

View solution in original post

diasporia
Level 1
Level 1

connect the ASA's using a site-to-site VPN Tunnel(pure ipsec)...interesting traffic explicitly mentioned in the crypto-acls that mirror each other. and you will also need static routes (route inside.....)so inbound tunnel traffic knows how to get back to the router(assuming the ASA is being used for unencrypted internet bound traffcic as well. If not, just a default route in the ASA to the inside will work.

on the routers terminating the leased line, you can use two floating default routes that include the int. via which the next hop has to be reached. assign the default route to the firewall a higher(200 as an example)

View solution in original post

allan.thomas
Level 8
Level 8

In additional to the good information provided in the previous post one other aspect which you may wish to consider is adding connection delay to bringing you backup link?

The Dialer Watch Connect Delay feature introduces the ability to configure a delay in bringing up a secondary link when a primary link that is monitored by Dialer Watch goes down and is removed from the routing table. Previously, the router would instantly dial a secondary route without allowing time for the primary route to come back up. When the Dialer Watch Connect Delay feature is configured, the router will check for availability of the primary link at the end of the specified delay time before dialing the secondary link.

The above information was taken from the following link, please take a look when you have an opportunity:-

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454ff6.html

Hope this helps.

Regards

Allan.

View solution in original post

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

Floating static route should be fine.

However, it will not automatically failover. Between ASA in SiteA and Site-B thru primary link is three segments and thru internet is definitely multiple segment. Failure in the segment which is not directly connected to the firewall will not trigger failover. Failure in the segment which is directly connected to one ASA will only trigger failover in that site but no the other site.

Suggest you use GRE thru primary link and GRE over IPSEC thru internet and route the network thru GRE. Failure in any segment will bring the GRE down which in turn trigger auto failover.

Regards,

Dandy

View solution in original post

The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel interfaces is less than that on your pt-to-pt primary int. Use acl's to prevent routing loops that would otherwise occur in this setup.

If you absolutely must use the ASA's to terminate your ipsec enpoints, and also want to route over this tunnel you can you RIP or OSPF to exchange *UNICAST* updates. It is not that pure ipsec tunnels cannot carry routing updates: they cannot be multicast updates(which is what updates are by default) I don't recommend using EIGRP unicast...it can be made to work but is tricky.

View solution in original post

6 Replies 6

lgijssel
Level 9
Level 9

This will surely work. There is no need to run eigrp over the backup link. Running eigrp for the leased line with floating static routes will do the job perfectly. Please refer to the example below:

http://www.cisco.com/en/US/tech/tk713/tk237/technologies_configuration_example09186a00800a3b77.shtml

This is for an FR-link as primary but routing-wise it is still a perfect example of what must be configured.

regards,

Leo

Thank you for your response.

I am concerned that I am using ASAs and not routers in my setup. Also, what about wanting to use an encrypted tunnel when backing up over the internet link?

diasporia
Level 1
Level 1

connect the ASA's using a site-to-site VPN Tunnel(pure ipsec)...interesting traffic explicitly mentioned in the crypto-acls that mirror each other. and you will also need static routes (route inside.....)so inbound tunnel traffic knows how to get back to the router(assuming the ASA is being used for unencrypted internet bound traffcic as well. If not, just a default route in the ASA to the inside will work.

on the routers terminating the leased line, you can use two floating default routes that include the int. via which the next hop has to be reached. assign the default route to the firewall a higher(200 as an example)

allan.thomas
Level 8
Level 8

In additional to the good information provided in the previous post one other aspect which you may wish to consider is adding connection delay to bringing you backup link?

The Dialer Watch Connect Delay feature introduces the ability to configure a delay in bringing up a secondary link when a primary link that is monitored by Dialer Watch goes down and is removed from the routing table. Previously, the router would instantly dial a secondary route without allowing time for the primary route to come back up. When the Dialer Watch Connect Delay feature is configured, the router will check for availability of the primary link at the end of the specified delay time before dialing the secondary link.

The above information was taken from the following link, please take a look when you have an opportunity:-

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080454ff6.html

Hope this helps.

Regards

Allan.

Danilo Dy
VIP Alumni
VIP Alumni

Hi,

Floating static route should be fine.

However, it will not automatically failover. Between ASA in SiteA and Site-B thru primary link is three segments and thru internet is definitely multiple segment. Failure in the segment which is not directly connected to the firewall will not trigger failover. Failure in the segment which is directly connected to one ASA will only trigger failover in that site but no the other site.

Suggest you use GRE thru primary link and GRE over IPSEC thru internet and route the network thru GRE. Failure in any segment will bring the GRE down which in turn trigger auto failover.

Regards,

Dandy

The ASA's do not support GRE Tunnels. If you wish to run a dynamic routing across you pri and backup links...your ipsec peers will be the outside interfaces of you internet-facing routers (run gre over ipsec) make sure the bandwidth on you tunnel interfaces is less than that on your pt-to-pt primary int. Use acl's to prevent routing loops that would otherwise occur in this setup.

If you absolutely must use the ASA's to terminate your ipsec enpoints, and also want to route over this tunnel you can you RIP or OSPF to exchange *UNICAST* updates. It is not that pure ipsec tunnels cannot carry routing updates: they cannot be multicast updates(which is what updates are by default) I don't recommend using EIGRP unicast...it can be made to work but is tricky.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: