cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1047
Views
0
Helpful
6
Replies

Static Route redundancy for connected route and vpn tunnel

tmpoff
Level 1
Level 1

I will try to make this question as simple as possible.

I have a ASA that is connected directly to a remote site via a p2p metro ethernet circuit.  Therefore, the ASA has an interface on that "remote" network.  In the firewall, the network is a connected route.  I will use 192.168.1.0/24 as the network.

I want to create a redundant path to the remote site via a VPN over our Internet connections.  How do I set up the tunnel and the routing to make this happen?  I get the tunnel set up no problem.  How do I get traffic destined for 192,168.1.0/224 to go over the VPN as opposed to the directly connected route when that connection fails?

1 Accepted Solution

Accepted Solutions

When using:

route p2p 192.168.1.0 255.255.255.0 x.x.x.x 10

route vpn 192.168.1.0 255.255.255.0 y.y.y.y 20

x.x.x.x will be the next-hop when going out the p2p interface.

y.y.y.y will be the next-hop when going out the VPN interface.

Which IP do you have on the p2p and on the VPN (internet) interface?

Federico.

View solution in original post

6 Replies 6

Hi,

The ASA has an interface belonging to the p2p link (not to the remote network), so you can have a VPN tunnel configured via another interface to reach that remote network.

However, the VPN tunnel will have to terminate on a different IP (not the other end of the p2p link), because the ASA will only use its own interface on the p2p link to reach the other end of the p2p link.

Federico.

The vpn tunnel does terminate on the Internet interface of that remote router.

I can set up a tracking object to tell me when the p2p link goes down.  I just need to know how to force the traffic over the VPN tunnel as opposed to the connected route?

What should or can i use as the next hop address for the route statement?

Let's say you have this route on the ASA:

route p2p 192.168.1.0 255.255.255.0 x.x.x.x --> which is the next-hop over the p2p

You can do this:

route p2p 192.168.1.0 255.255.255.0 x.x.x.x 10

route vpn 192.168.1.0 255.255.255.0 y.y.y.y 20

So, the route through interface vpn will be used only when the p2p link is down.

Federico.

So my question is what should y.y.y.y be?  I attached a basic diagram for reference.  You are being very helpful.  Thanks.

When using:

route p2p 192.168.1.0 255.255.255.0 x.x.x.x 10

route vpn 192.168.1.0 255.255.255.0 y.y.y.y 20

x.x.x.x will be the next-hop when going out the p2p interface.

y.y.y.y will be the next-hop when going out the VPN interface.

Which IP do you have on the p2p and on the VPN (internet) interface?

Federico.

I got the answer from you.  Thanks for your help.

y.y.y.y = 33.33.33.1 from the drawing

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco