Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

IP SLA Failover for internal traffic out site-to-site VPN

Hello,

I am in the process of researching a way to configure a router for fail over when the internal EIGRP link is down to then route to the firewall out a site-to-site VPN connection via the internet back to our core. I've been focusing on IP SLAs and reading on those, however I'm unclear if this is the best or easiest method. Is a weighted route just as effective?

I've been reading here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/12-2sx/sla-12-2sx-book.pdf

https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla

 

Drawing reflects topology. If link from RTR1 fails into EIGRP cloud, I'm looking for fail over to FW1 out site to site VPN to Core Firewall.

 

 

Regards,

 

Paul

2 REPLIES
VIP Super Bronze

Hi,Are you using static

Hi,

Are you using static routes for your site-to-site VPN?

If yes, you can assign a higher AD then EIGRP (90) to it and that should become your backup connection.

HTH

New Member

I'm not certain, can you help

I'm not certain, can you help identify from the below config?

 

ASA Version 8.2(5)
!

!
interface Ethernet0/0

 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 description Inside
 speed 100
 duplex full
!
interface Ethernet0/2
 description Guest
 switchport access vlan 4
 speed 100
 duplex full
!
interface Ethernet0/3
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/4
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/5
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/6
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/7
 speed 100
 duplex full
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.142.8.254 255.255.255.0
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address
!
interface Vlan4
 no forward interface Vlan1
 nameif Guest
 security-level 50
 ip address 10.142.9.254 255.255.0.0
!
ftp mode passive

dns server-group DefaultDNS
 domain-name
object-group network DM_INLINE_NETWORK_1
 network-object 10.140.0.0 255.255.0.0
 network-object 10.141.0.0 255.255.0.0
 network-object 172.16.16.0 255.255.255.0
object-group network
 network-object 10.142.1.0 255.255.255.0
 network-object 10.142.5.0 255.255.255.0
 network-object 10.142.6.0 255.255.255.0
 network-object 10.142.8.0 255.255.255.0
 network-object 172.20.200.0 255.255.255.0
access-list xxxx standard permit 10.140.0.0 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip object-group yyyy object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip object-group yyyy object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.140.0.0 255.255.0.0 10.142.8.253 1
route inside 10.142.0.0 255.255.0.0 10.142.8.253 1
route inside 172.20.200.0 255.255.255.0 10.142.8.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 173.227.223.182
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

console timeout 0
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5dd9cf8011a785416b2652f6962b4ee2
: end

63
Views
0
Helpful
2
Replies
CreatePlease to create content