Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

ASA failover design question

Site A,B,C

Each has pair of ASA active /passive

Site A and B primary IPsec VPN B2B site.

Can I configure the way if connection to site a or b failed the traffic will route to site C. This senario will occur in the event a complete loss to a site and active/ passive firewalls does work in site A or B.

Thanks

Sent from Cisco Technical Support iPhone App

5 REPLIES

ASA failover design question

Hi Mustafa,

I am sure its possible but before we discuss further can you please how the 3 sites are connected etc. Is there a network diagram that you can post up here?

Regards, Kishore

New Member

Re: ASA failover design question

I don't have a network diagram. All three sites are connected via AT&T MPLS network.

However, this new application requires a second connection via Internet and VPN between sites for PCI compliance purposes.

So basically broadband type Internet connection between all three sites for VPN purposes

Thanks

Sent from Cisco Technical Support iPhone App

Re: ASA failover design question

You guys don't have some kind of routing protocol in place?  I have worked at couple of different places where we had two VPN's setup between sites and we used EIGRP.  So if one would go down EIGRP would send over the other VPN.  Ofcourse you'll need to do GRE, VTI to configure EIGRP accross the VPN.

New Member

Re: ASA failover design question

HI,

If I understand correctly, you have Primary mode of connection as MPLS across sites A, B & C. And looking for VPN over Internet as back up solution.

I would suggets you to go with Cisco DMVPN rather GRE/IPsec.(Though GRE/IPsec works fine) You can use dynamic routing protocol such as EIGRP/OSPF over DMVPN as your backup solution when primary is down.

Alternatively, if your application is hosted in a Primary site, you could provide a Remote Access VPN solution (e.g., Cisco Anyconnect SSL VPN ) with RSA two factor authentication for users to dial-in

Regards,

VIdyadhar Evani.

Re: ASA failover design question

DMVPN is the best option if it was not ASA

since ASA dose not support it then you could use two static routes for same destination IP/subnet one point to the primary path/link and the other to the secondary with higher AD and use IPSLA with it

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

hope this help

912
Views
0
Helpful
5
Replies
CreatePlease to create content