12-03-2008 07:34 AM - edited 03-04-2019 12:35 AM
Hi all,
Tried to post a similar question a few days ago but I don't think it went through. I have an ASA5510, also have a 2851 with 3 multilinked T1's, and a T1 from a separate provider on a 1700. What I would like to do is have the extra T1 as a failover for the multilinked T1's in the (unfortunately rather common) case that they go down.
From what I've read I could do this simply by having the extra T1 on a separate interface and adding an ip route 0.0.0.0 0.0.0.0 with that IP and a higher priority.
However, I also run a vpn tunnel to our datacenter, and I would like this to failover as well on the backup T1.
From what I've read it seems possible to do this with a loopback interface, though I have no clue how to set that up.
Any assistance is much appreciated!
Thanks,
Dan
12-04-2008 10:09 AM
Hello Dan,
you should need to do the following:
use GRE tunnels inside IPSec
you build two GRE tunnels : the first travel inside the primary link/IPSec SA, the second inside the secondary link /IPSec SA
the two IPSec SA need to use different IP endpoints.
Using GRE allow you to run a routing protocol inside the tunnels so that a router inside the ASA can use the secondary GRE when the adjacency (typically EIGRP or OSPF are used).
But this would work if there is another router internal to ASA.
However you need two different IP endpoints: one the current one that is routable via primary ISP on the 3T1 bundle, the second that is routable via the backup T1.
The devices that could this job better are the two external routers themselves if they have a common segment they could run the same routing protocol used over the GRE tunnels.
In this way the ASA would be just the firewall with no involvement in routing.
I'm not an expert on ASA so my suggestions are more router focused.
Hope to help
Giuseppe
12-04-2008 02:09 PM
Giuseppe,
Thanks for the help. Not quite sure I get it though. I found the following article, which unfortunately doesn't make complete sense to me, but at least the concept seems right. Could I do it this way?
Thanks,
Dan
12-05-2008 12:43 AM
Hello Dan,
the article explains a possible setup when the border router connecting to two ISPs is only one.
In your case the routers connecting to the two ISPs are different.
You can think to adapt the example using the ASA.
But you need two different endpoints on the ASA side that are routed via the two different ISPs so that the two IPSec SAs can stay up.
Then you need also a way to use the primary until is up.
This is the reason for the suggested GRE tunnels: to have a logical object that can be the next-hop/outgoing interface for traffic, the IPsec crypto is more like an ACL then an interface.
Hope to help
Giuseppe
12-05-2008 06:54 AM
Giuseppe,
Thanks again for your help. Unfortunately I'm not familiar with GRE, barely with making an IPSec tunnel. Seems if I am going to do this I have some reading to do to catch up on it.
So I could not just have two seperate IPSec tunnels going between the two ASA's? That way I could even load balance maybe?
Thanks again for the help.
Dan
12-05-2008 10:30 AM
Hello Dan,
the problem of an IPSec only solution is the lack of routing control:
think of IPSec crypto map as equivalent to ACLs : they define what is the interesting traffic to be encrypted.
The interesting traffic is that between internal LAN ip subnets:
you can build a solution where first IPSec SA is used until it is alive. I don't think you can achieve load balancing:
traffic is encrypted over the first IPSec SA and the other one can be up but idle.
If the first SA is broken, you can probably achieve failover over the second SA.
The GRE tunnels allow to have an interface that can be referenced in a routing table and so you can even achieve load-balancing if desired.
But I don't know if ASA can do this.
I see that ASA can be smarter then routers in managing IPSec tunnels : ASA has the concept of tunnel groups.
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1113843
see the section
"Configuring LAN-to-LAN Connection Profiles"
But I'm not sure this looks like just to make easy configuration tasks
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: