Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
5
Replies

ASA5500 L2L and L3 switch PPP link config scenarios

Eric Boadu
Level 1
Level 1

‎04-21-2010 07:33 AM

Hello guys,

I have private PPP link between two sites connected to two L3 switches as routed port. Traffic between these two LANs is sailing smoothly via the PPP link bidirectional. I have also implemented IPSec VPN tunnel between the same two sites via the internet as backup in case the private link failed. In this case, the tunnel is working great.

When the PPP link restored on the L3 switch the LAN traffic continue to pass through the tunnel.

How do I configure the firewall or the switch to drop the IPSec tunnel when the PPP link restore?

The trick here is my internet ASA5520 firewall at both sites doesn’t know this route because it is part of the LAN. Can sla monitor and tracking with ACL will work? If so, any advice

Site A:

PPP link address 10.10.10.1/30 on L3 switch

ASA 192.168.1.1 outside

192.168.2.1/24 inside

Site B:

PPP link address 10.10.10.2/30 on L3 switch

ASA 10.0.1.1/30

Inside 192.168.2.1/24

Thanks,

Eric

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-21-2010 07:57 AM

Hi,

You want to use the dedicated line as the primary link and the IPsec tunnel as a backup?

Are both connections using static routes (no dynamic routing protocol)?

If so, just use the IP SLA feature with tracking on the ASA.

For example:

The ASA can have a primary static route to the PPP link and if it fails, establish the IPsec tunnel through the Internet connection. The good thing is that if it fails, the ASA then starts routing back again through the PPP link when it comes back.

Federico.

0 Helpful

Eric Boadu
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-21-2010 12:22 PM

You are correct Federica and can you send me an example config? or what do you think for below link. Looking into that for possible resolution.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml#route_removed

0 Helpful

Eric Boadu
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-21-2010 12:25 PM

I only wanted to send inside traffic via the PPP link and internet traffic out via my asa firewall

0 Helpful

Eric Boadu
Level 1
Level 1
In response to Eric Boadu

‎04-21-2010 01:31 PM

Hey guys, I have tested various sla tracking solutions in my lab and finally got the best solution base on the design. I will advise later.

Thx,

Eric

0 Helpful

Eric Boadu
Level 1
Level 1
In response to Eric Boadu

‎04-22-2010 08:20 PM

Hello Guys,

After testing various config I came accross my old references that I used to design MPLS private link. This tracking SLA policy config works great on L3 switch! Make sure the port that will be use on L3 switch is set to routed port instead of trunking betwn two locations. Use L3 subnet to create PPP link.

ip route 0.0.0.0 0.0.0.0 5.5.5.2 <
ip route 4.4.4.0 255.255.255.0 interface ethernet0/1 6.6.6.2 track 50 << to private PPP link

ip sla 1
icmp-echo 6.6.6.2
ip sla monitor schedule 1 life forever start-time now
num 3
freq 10

access-list 101 permit icmp any host 6.6.6.2 echo

route-map local permit 20
match ip address 101
set ip next-hop verify-availability 6.6.6.2 10 track 50

track 50 rtr 1 reachability
delay down 10 up 10

interface ethernet0/1
ip policy route-map local

Thank you all for your input and hope this help others. Please rate this

Thx,

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents