We have two sites connected by a gigaman line. Routing between the two sites is done with a couple of HP routers. We also have two separate Internet connections, one at each site, through different providers. The border firewall at one site is a Cisco 5505 and at the other site it is a Cisco 5510. If the gigaman line goes down, we would like to fail over to a site-to-site VPN. Any clue how to set this up? We can set up the site-to-site VPN. The main question is how to make it serve as a failover. Another question is whether the VPN will cause confusion when the gigaman is operational. Thanks. -Glenn.
I think it's a possibility in most setups, if you provide a L3 topology of your networks currently (i.e. where are the two ISPs circuits connected and how are routers and firewalls adjacent) we can come up with something more solid.
Typically we would rely (at least on ASA) on route tracking for sake of failover.
In a situation like this I would create dyanmic routing between ASAs and HP routers and point ASA's default gatewat through corresponding IP address.
In this scenario, by default ASAs routing will point through HP routers to get to remote end, but once they stop adveritsing it ASA will have default route pointing towards outside, which will cause tunnel to be brought up.
When Gigaman link comes back up ASA's routing table is populated again with better routes from HP routers.
Any concerns/limitations that I might not be aware of with this suggestion?
I'm not sure I understand. It seems that if the default routes for the ASAs are the HP routers, our PCs located in the 192.168.x.x subnets would not have Internet access.
We were originally thinking we could set up the site-to-site VPN while the gigaman link is in operation. Then if the gigaman goes down, we manually change the routing in the HP routers. But we are concerned that the VPN will not coexist well with the gigaman, since it might create a redundant link similar to a network loop. Thanks. -Glenn.
I don't want ASA's default gateway to be HP, in fact I would like to to point to ISP.
The intention is to populate ASA's routing table with more preferred dynamic routing protocol prefixes (OSPF/RIP) coming from HPs. This would also cause traffic for local users to go over gigaman link if it's available and move to ASA (following default route I assume) when gigaman link is down.
In this case the failover would be automatic.
Note that like with any crypto map, the VPN tunnel is only brought up if interesting traffic is flowing through the box, we do not keep it on all the time.
So it would only come up when it's really needed.
It's hard to explain those without the ability to draw
The solution is a very simple one since your setup is not very complicated:
1- setup site-to-site VPN between your 5505 and 5510 with the encryption domain as 192.168.10.x/x on ASA5505 and 192.168.1.x/x on ASA5510. Simple right?
2- On the HP router 4204(#2), add a floating static route something like "ip route 192.168.1.x/x 192.168.100.34 220" and on the HP router (4004(#1), do the same thing like "ip route 192.168.10.x/x 192.168.1.4 220".
Now, if the Gigaman WAN link goes down on either side, 192.168.10.x will not be able to get to 192.168.1.x via the gigaman link, it will "automatically" use the VPN tunnel without you having to do anything. One the Gigaman WAN link is restored, it will revert bacl to the Gigaman WAN path.
In summary, the solution is to use floating route on the HP in addition to setup site-to-site VPN between the ASA5505 and ASA5510. No need to do dynamic routing in your situation to further complicate the situation.
Simple is good! I will try the floating static routes. So you don't see a problem running the VPN while the gigaman is operational? For example:
1. If you are on the console of the 5505 and you ping a computer on the other side of the WAN, say 192.168.1.50, how does the ASA decide whether to send the ping over the gigaman or the VPN?
2. If you are on a computer in the local network, say 192.168.1.50, and you connect to the 5505 via SSH, how does it know whether to reply through the gigaman or the VPN? Does it default to the interface where your SSH session originated?
Sorry if these are elementary questions. I am still learning networking. Thanks. -Glenn.
"So you don't see a problem running the VPN while the gigaman is operational?"
No because the tunnel will not come up because all of your traffics will be going across the Gigaman link
"If you are on the console of the 5505 and you ping a computer on the other side of the WAN, say 192.168.1.50, how does the ASA decide whether to send the ping over the gigaman or the VPN?"
You do NOT do that. that traffics will go out of the Internet and not VPN. that traffics is not part of the encryption domain.
You can test the VPN connectivity by adding a /32 host route on both HProuters with the next-hop as the ASA. that way, when you setup your VPN, you can see the traffics being encrypted,
if you're on 192.168.1.50 and ssh to the ASA505, it will go over the gigaman link because that is the prefer-route.
O.K., I'm looking at the configuration files in the ASAs and I see that there are static routes for the internal networks. For instance, in the 5505, there is a static route:
route inside inside-network 255.255.0.0 192.168.100.1 1
The inside-network is defined as 192.168.0.0/16. 192.168.100.1 belongs to HP router #2. So what happens if the gigaman goes down and we are using the floating static routes in the HP routers? For example, if a computer with IP 192.168.100.5 wants to talk to a server at 192.168.1.30, the traffic goes to HP router #2, then to the ASA 5505. Will the 5505 send it out the VPN, or will it follow the static route and send it back to HP #2? Thanks again. -Glenn.
P.S. I updated the diagram for simplicity and added the internal IPs of the routers.
Do this on the ASA5505: route outside 192.168.1.0 255.255.255.0 Internet-gateway-nexthop
Do this on the ASA5510: route outside 192.168.100.0 255.255.255.0 Internet-gateway-nexthop
Remember with Cisco, route will take place before encryption takes place.
Would it be possible to use floating static routes in the ASAs, too? Like this:
ASA 5505: route outside 192.168.1.0 255.255.255.0 220 internet-gateway-nexthop
ASA 5510: route outside 192.168.100.0 255.255.255.0 220 internet-gateway-nexthop