cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1206
Views
0
Helpful
5
Replies

ASA failover design question

mustafa.s.raza
Level 1
Level 1

Site A,B,C

Each has pair of ASA active /passive

Site A and B primary IPsec VPN B2B site.

Can I configure the way if connection to site a or b failed the traffic will route to site C. This senario will occur in the event a complete loss to a site and active/ passive firewalls does work in site A or B.

Thanks

Sent from Cisco Technical Support iPhone App

5 Replies 5

Hi Mustafa,

I am sure its possible but before we discuss further can you please how the 3 sites are connected etc. Is there a network diagram that you can post up here?

Regards, Kishore

mustafa.s.raza
Level 1
Level 1

I don't have a network diagram. All three sites are connected via AT&T MPLS network.

However, this new application requires a second connection via Internet and VPN between sites for PCI compliance purposes.

So basically broadband type Internet connection between all three sites for VPN purposes

Thanks

Sent from Cisco Technical Support iPhone App

You guys don't have some kind of routing protocol in place?  I have worked at couple of different places where we had two VPN's setup between sites and we used EIGRP.  So if one would go down EIGRP would send over the other VPN.  Ofcourse you'll need to do GRE, VTI to configure EIGRP accross the VPN.

Vidyadhar Evani
Level 1
Level 1

HI,

If I understand correctly, you have Primary mode of connection as MPLS across sites A, B & C. And looking for VPN over Internet as back up solution.

I would suggets you to go with Cisco DMVPN rather GRE/IPsec.(Though GRE/IPsec works fine) You can use dynamic routing protocol such as EIGRP/OSPF over DMVPN as your backup solution when primary is down.

Alternatively, if your application is hosted in a Primary site, you could provide a Remote Access VPN solution (e.g., Cisco Anyconnect SSL VPN ) with RSA two factor authentication for users to dial-in

Regards,

VIdyadhar Evani.

/Vidya

Marwan ALshawi
VIP Alumni
VIP Alumni

DMVPN is the best option if it was not ASA

since ASA dose not support it then you could use two static routes for same destination IP/subnet one point to the primary path/link and the other to the secondary with higher AD and use IPSLA with it

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

hope this help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: