easy vpn or site-to-site vpn for back up connection?
All of my remote sites are connected to HQ via MPLS circuits. I would like to create back link for those remote sites using 871 routers with DSL connection and terminate ipsec vpn tunnels at the outside interface of ASA5540 located at HQ.
The 871 routers will be configured HSRP standby mode. It becomes active and forward traffic when the main router of the remote site losses connection to HQ.
1. Has anyone had similar requirements and use easy vpn as a solution? will site-to-site work better for this scenario?
2. How to make ASA5540 handle the routes properly when it sees the same subnets located on both Inside interface and the other end of the tunnel which is terminated at the outside interface?
Static routes are configured on the ASA.
3. I also try to avoid user entering username and password for interactive authentication in easy vpn.
Re: easy vpn or site-to-site vpn for back up connection?
yes you can site-to-site VPN as a backup.
If the interface going to the backup connection is an interface different than the outside interface, and if the regular connection going down means that the outside interface will go down, then you only need an additional default route, but with a higher metric than your regular route.
But if both connections go out the same interface, or if the outside interface will not go down when the primary Internet connection goes down, then you'll need to take a different approach. ASA 7.2 code introduced a feature called "Standby ISP Support", which allows the firewall to keep an active track on an Internet connection, and if that connection
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...