Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
5
Helpful
5
Replies

WAN Failover to VPN Help.

markkingery
Level 1
Level 1

‎09-19-2008 09:49 AM - edited ‎03-03-2019 11:37 PM

I have a site that has a single MPLS link to it,I have an ASA firewall out there connected to a DSL internet connection. My question is where can I find a good guide to help me configure routing my router or switch to use the ASA VPN tunnel back to my datacenter if the WAN link goes down.

Thanks for any help.

Mark

Labels:
0 Helpful
5 Replies 5

singhsaju
Level 4
Level 4

‎09-19-2008 11:40 AM

Hi Mark,

You can failover to VPN using a Static route with higher AD .Let us assume that your network is routing protocol and it has a Dynamic route for remote subnet x.x.x.x. So you can add following static route on internal router.

ip route x.x.x.x y.y.y.y 200

So when the router looses dynamic route it will install this static route which points traffic towards ASA to VPN.

HTH

Saju

Pls rate helpful posts

0 Helpful

markkingery
Level 1
Level 1
In response to singhsaju

‎09-19-2008 12:32 PM

Thanks Saju, that part at the remote site I understand thanks to your help, but what I need to figure next is in my Datacenter what would I need to do to make sure subnet that comes in over the VPN tunnel goes back out the tunnel and not over the WAN.

0 Helpful

chaitu_kranthi
Level 1
Level 1
In response to markkingery

‎09-19-2008 01:06 PM

Hi,

i undetstood that you are looking for the following scenario:

MPLS link is in Cisco Router & VPN Tunnel is in ASA Firewall. So Your requirement is that if MPLS Goes down VPN has to trigger automatically right.

If that is the scenario, Go ahead with the following steps.

it worked for me.

First you have to place a default route in the Router like as follows

ip route InsidelanID subnetmask ASAinterfaceIP

please find the attachement for ASA end Configuration Steps.

Pls Rate me if it help to you

Preview file
213 KB

markkingery
Level 1
Level 1
In response to chaitu_kranthi

‎09-19-2008 01:09 PM

Thanks for the document, so say my remote location is 10.97.x.x and the 10.97.x.x is going over the vpn tunnel to my central data center, how will my core switch know not to send the 10.97.x.x out over the MPLS cloud, but back to the VPN tunnel.

0 Helpful

arathyram
Level 1
Level 1
In response to markkingery

‎12-02-2008 11:37 AM

Hi - am running into a similar situation and did a search on forums and noticed your query. Wondering if you were able to resolve this.

my take is to have a similar static route for the remote site at the DC with a higher admin distance. So, at the remote site - you have a default route with say distance 250 pointing to the remote site firewall which terminates the VPN. And at the DC, you have static routes to the remote site subnets with a high distance pointing to the hub end of the firewall that terminates the vpn.

did you have a similar approach

rgds

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card