Dynamic Routing for Failover L2L VPN

Hi,
Can someone offer me some guidance with this issue please?
I've attached a simple diagram of our WAN for reference.
Overview
Firewall is ASA 5510 running 8.4(9)
Core network at Head Office uses OSPF
Static routes on ASA are redistributed into OSPF
Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
Branch Office WAN uses BGP - Routes are redistributed into OSPF
The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
Backup BO router (.253) only contains a default route to internet
Under normal operation, traffic to/from BO uses Local Branch Office WAN
If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
Thanks,
Paul

Hi Paul,
your ASA keeps the tunnel alive only because that route exists on ASA. Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
This config will go on ASA,
route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
(assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
(value 254 is higher cost of the route to go via IPSec tunnel and x = to default-gateway of ISP)
sla monitor 99
type echo protocol ipIcmpEcho 10.10.10.254 interface inside
num-packets 3
frequency 10
sla monitor schedule 99 life forever start-time now
track 10 rtr 99 reachability
Let me know, if this helps.
thanks
Rizwan Rafeek

Similar Messages

Dynamic routing for a Business Service with multiple operations

I have two business services with multiple operations. Business service A (bsA) has operations OpA1 and OpA2. Business service B (bsB) has operations OpB1 and OpB2.
Depending on incoming Proxy message and operation, I have to do one of the following
1. If someValue = A and operation= Op1 then invoke operation opA1 of bsA
2. If someValue = B and operation= Op1 then invoke operation opB1 of bsB
3. If someValue = C and operation= Op1 then invoke operation opA1 of bsA AND* operation opB1 of bsB and return aggregate data of both invocations
1. If someValue = A and operation= Op2 then invoke operation opA2 of bsA
2. If someValue = B and operation= Op2 then invoke operation opB2 of bsB
3. If someValue = C and operation= Op2 then invoke operation opA2 of bsA AND* operation opB2 of bsB and return aggregate data of both invocations
Using a dynamic route node or dynamic routing options, I am able to achieve cases 1, 2, 4, and 5.
But for cases 3 & 6, I can not use a route node. When I use a Service call out instead, then I am forced to create a Operational branch but that does not seem like the best design since for every new operation added to the business services, I have to add a new branch to the Operational branch and redo all the functionality for that branch.
Basically, I am looking to achieve the functionality of the Route node ( no need to specify the operation ).
Any thoughts/ideas on what the best design would be?
thanks

For cases 3 & 6, why don't you route to another proxy service where you can simple do two service callouts, merge output data somehow and return them to the first proxy?
If you look for "special route feature", that could possibly call two services for a single message, I'm afraid you won't succeed.

Public-to-Public L2L VPN no return traffic

Hello all,
I'm hoping someone can give me a little help. I've researched the web and have read many forums, but I still can't get this to work. One of our vendors requires using a public ip address to setup a site-to-site IPSEC vpn. We only have one public ip address and that will be used for the vpn endpoint and for internet access for the local network. I've setup policy NAT from our local network to the outside interface. I'm also using the outside ip address for the crypto map. The tunnel setups successfully and the Tx count increases anytime I try to ping the remote network, but the ping fails and the Rx count does not increase. According to our vendor, we should be able to ping the remote network and connect using port 443. When trying to connect using port 443, I see a SYN timeout in the logs. I'm not sure if the problem is on their end and they're rejecting our traffic, or if something is misconfigured on our end. I'd like to make sure that I have everything configured correctly before I go and point fingers at them. Any help would be appreciated. Thanks.
Local Network - 10.10.9.0/24
Remote Network - 20.20.41.0/24
Remote Peer - 20.20.60.193
ASA Version 8.2(5)
hostname ciscoasa
domain-name
names
name 10.10.9.3 VPN description VPN Server
name 10.10.9.4 IntranetMySQL description MySQL For Webserver
name 192.168.0.100 IIS_Webserver
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.9.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 71.***.***.162 255.255.255.0
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.9.1
domain-name
same-security-traffic permit inter-interface
object-group service VPN_TCP
description VPN TCP Connection
service-object tcp eq 1195
object-group service VPN_UDP
description VPN UDP Port
service-object udp eq 1194
object-group service VPN_HTTPS
description VPN HTTPS Web Server
service-object tcp eq 943
service-object udp eq 943
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service WebServer
service-object tcp eq 8001
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
object-group service VPN_HTTPS_UDP udp
port-object eq 943
object-group service WCF_WebService tcp
port-object eq 808
object-group service RDP tcp
port-object eq 3389
object-group service RDP_UDP udp
port-object eq 3389
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp eq www
service-object tcp eq https
object-group service *_Apache tcp
port-object eq 8001
object-group service *_ApacheUDP udp
port-object eq 8001
object-group service IIS_SQL_Server tcp
port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service File_Sharing tcp
port-object eq 445
object-group service File_Sharing_UDP udp
port-object eq 445
object-group service MySQL tcp
port-object eq 3306
object-group service Http_Claims_Portal tcp
port-object eq 8080
object-group service Http_Claims_PortalUDP udp
port-object eq 8080
object-group service RTR_Portal tcp
description Real Time Rating Portal
port-object eq 8081
object-group service RTR_PortalUDP udp
port-object eq 8081
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in extended permit udp any 70.***.***.0 255.255.255.0 eq 1194
access-list outside_access_in extended permit tcp any any eq 1195
access-list outside_access_in extended permit object-group VPN_HTTPS any any
access-list outside_access_in extended permit tcp any interface outside eq 943
access-list outside_access_in extended permit tcp any any eq 8001
access-list inside_access_in extended permit tcp any any
access-list outside_access_in_1 extended permit tcp any interface outside eq 943
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_1 host 71.***.***.165 host 71.***.***.162
access-list outside_access_in_2 extended permit object-group TCPUDP any any inactive
access-list outside_access_in_2 extended permit icmp any any
access-list outside_access_in_2 extended permit object-group VPN_HTTPS any host 71.***.***.162
access-list outside_access_in_2 remark VPN TCP Ports
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 eq 1195
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 eq 1194
access-list outside_access_in_2 remark Palm Insure Apache Server
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group *_Apache inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group *_ApacheUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group MySQL inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group Http_Claims_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group Http_Claims_PortalUDP inactive
access-list outside_access_in_2 extended permit tcp any host 71.***.***.164 object-group RTR_Portal inactive
access-list outside_access_in_2 extended permit udp any host 71.***.***.164 object-group RTR_PortalUDP inactive
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_3 any host 71.***.***.164 inactive
access-list outside_access_in_2 remark RTR Access Rule for Internal VM's
access-list outside_access_in_2 extended permit tcp any host 71.***.***.162 object-group Http_Claims_Portal
access-list outside_access_in_2 remark RTR Access rule for internal VMs
access-list outside_access_in_2 extended permit udp any host 71.***.***.162 object-group Http_Claims_PortalUDP
access-list inside_access_in_1 extended permit object-group TCPUDP any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit esp any any
access-list inside_access_in_1 extended permit udp any any eq isakmp
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 70.***.***.252
access-list dmz_access_in extended permit tcp any host 70.***.***.252 eq www
access-list dmz_access_in_1 extended permit tcp host IIS_Webserver host 10.10.9.5 object-group DM_INLINE_TCP_1 inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any host IIS_Webserver eq www inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq https inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group *_Apache inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group *_ApacheUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver eq 3389 inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group IIS_SQL_Server inactive
access-list dmz_access_in_1 extended permit object-group TCPUDP any any inactive
access-list dmz_access_in_1 extended permit tcp host 10.10.9.5 host IIS_Webserver eq ftp inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group MySQL inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group Http_Claims_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group Http_Claims_PortalUDP inactive
access-list dmz_access_in_1 extended permit tcp any host IIS_Webserver object-group RTR_Portal inactive
access-list dmz_access_in_1 extended permit udp any host IIS_Webserver object-group RTR_PortalUDP inactive
access-list inside_nat_static extended permit ip host 10.10.9.1 20.20.41.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 71.***.***.162 20.20.41.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.10.9.0 255.255.255.0
static (inside,outside) tcp interface 943 VPN 943 netmask 255.255.255.255
static (inside,outside) tcp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1194 VPN 1194 netmask 255.255.255.255
static (inside,outside) udp interface 1195 VPN 1195 netmask 255.255.255.255
static (inside,outside) tcp interface ssh IntranetMySQL ssh netmask 255.255.255.255
static (inside,outside) tcp interface ftp IntranetMySQL ftp netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.9.5 www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3389 IIS_Webserver 3389 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8001 IIS_Webserver 8001 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 www IIS_Webserver www netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 https IIS_Webserver https netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 ftp IIS_Webserver ftp netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 3306 IIS_Webserver 3306 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8080 IIS_Webserver 8080 netmask 255.255.255.255
static (dmz,outside) tcp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,outside) udp 71.***.***.164 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (dmz,inside) tcp IIS_Webserver 8081 IIS_Webserver 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 10.10.9.15 8080 netmask 255.255.255.255
static (dmz,outside) 71.***.***.164 IIS_Webserver netmask 255.255.255.255
static (dmz,inside) IIS_Webserver IIS_Webserver netmask 255.255.255.255
static (inside,dmz) 10.10.9.5 10.10.9.5 netmask 255.255.255.255
static (inside,outside) interface access-list inside_nat_static
access-group inside_access_in_1 in interface inside
access-group outside_access_in_2 in interface outside
access-group dmz_access_in_1 in interface dmz
route outside 0.0.0.0 0.0.0.0 71.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 20.20.60.193
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 10.10.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 20.20.60.193 type ipsec-l2l
tunnel-group 20.20.60.193 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Hi,
If you are using the public IP address of your ASA (that is used as the PAT address for all outbound traffic) as the only source IP address for the L2L VPN you dont really have to build any additional NAT configurations for the L2L VPN connection. So you shouldnt need the "static" configuration you have made.
static (inside,outside) interface access-list inside_nat_static
This is because any traffic from your local LAN will be PATed to the "outside" IP address and when the ASA also sees that the destination network for the connection is part of the L2L VPN configurations, then the traffic should be forwarded to the L2L VPN connection just fine.
Did you try the connectivity without the "static" configuration?
For ICMP testing I would add the command
fixup protocol icmp
or
policy-map global_policy
class inspection_default
inspect icmp
Should do the same thing
- Jouni

Dynamic Routing using AQ Adapter

Hi
I am using AQ Adapter to configure my OSB Buisness services to enqueue/Dequeue messages to my AQ queues.
My requirement is to post messages to different Aq queues at runtime without having to reconfigure adapter everytime.
I tried the routing options,It only allows me to change the endpt url which is the Datasource name in aq adapter, but it doesnot allow me to change the queue_name at runtime.
Is there any other way of acheiving dynamic routing for AQ?
Thanks
Gayatri

Thanks for your reply, but i guess i have not been successful in explaining my requirement clearly.
I am not interested in changing the routing pattern at the AQ level using Alter propogation.
My requirement is at one step above this while posting a message to the source AQ queue.
For eg: My Multi consumer table name: Publisher_Table
queues in my Publisher_Table: 1.Pub1
2.Pub 2
3.Pub 3 and so on
I need to post messages on pub1,pub2 etc...however while configuring the AQ adapter for enqueue opertaion i had to hardcode my queue name to Pub1(One among multiple queues created).
My query is whether i can have this queuename as a variable,so that at runtime i can change the target, instead of having to configure multiple aq adapters one for each pub queue.
Thanks
Gayatri

AQ Adapter Dynamic Routing

Hi
I have posted this query in AQ forum,am posting this again in adapters forum hoping to get some solution for the below issue.
I am using AQ Adapter to configure my OSB Buisness services to enqueue/Dequeue messages to my AQ queues.
My requirement is to post messages to different Aq queues at runtime without having to reconfigure adapter everytime.
For eg: My Multi consumer table name: Publisher_Table
queues in my Publisher_Table: 1.Pub1
2.Pub 2
3.Pub 3 and so on
I need to post messages on pub1,pub2 etc...however while configuring the AQ adapter in jdev for enqueue opertaion i had to hardcode my queue name to Pub1(One among multiple queues created).
My query is whether i can have this queuename as a variable,so that at runtime i can change the target, instead of having to configure multiple aq adapters one for each pub queue.
Is there any other way of acheiving dynamic routing for AQ?
Thanks
Gayatri

Hi Gayatri,
There is no option other than hard-coding the queue name but your use case can be addressed in OSB easily.
Create Business Services for each and every queue and in proxy message flow use dynamic routing action to determine at runtime that which Business Service should be invoked. To know more about dynamic routing action in OSB, please refer-
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/modelingmessageflow.html#wp1100135
Re: OSB proxy service lookup
Regards,
Anuj

L2L VPN-8.4(3)

Hi,
We are setting up IPSec L2L tunnel with our client. Client will access some of our internal servers through vpn tunnel. Client are natting his internal networks with public ip 121.16.141.x. We have below servers IPs which client would access.
10.150.20.131
10.150.20.132
I have prepared config for VPN tunnel but not preety sure that it is correct so looking for your help on this.
======================================
object-group network server_IP
network-object host 10.150.20.131
network-object host 10.150.20.132
object network client_IP
host 121.16.141.x
nat (inside,outside) source static server_IP server_IP destination static client_IP client_IP no-proxy-arp
access-list VPN extended permit ip object-group server_IP object client_IP
crypto map outside_map 6 match address VPN
crypto map outside_map 6 set peer <<client FW outside interface ip(y.y.y.y) >>
crypto map outside_map 6 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
ikev1 pre-shared-key *****
=========================================================
Pls confirm if this config is correct..

Hi,
Well there is couple of options
You can configure Filter ACL for the L2L VPN.
You can configure "no sysopt connection permit-vpn".
While configuring the VPN Filter is the easiest way to restrict connections coming from VPNs WHEN you have a lot of existing VPN connections, I still wouldnt recommend it as a first choice as it can get a bit complicated.
The second option is something that I personally like BUT using it depends on your current environment.
If you were to add the command "no sysopt connection permit-vpn" THEN ANY connection coming through VPN connections through the "outside" interface of your ASA would need to have a permitting ACL rule on the "outside" interface ACL.
So judging by your number in the "crypto map" configuration which is "6" I assume you have multiple L2L VPN configurations atleast, possibly remote access VPN also?
If this is the case then you would have to first create ACL rules to define what connections can be initiated behind VPN connections on each of those connections BEFORE enabling the command I mention. If you didnt then all connections from the direction of the remote host or remote network would start to get blocked by the ASA.
When you enable that command you could basically use the "outside" interface ACL to allow and deny traffic that is coming through VPN just like it was coming through Internet.
So if you are able to preconfigure the ACL rules for all of your existing VPN connections THEN I would recommend using the "no sysopt connection permit-vpn" to BLOCK ALL connections coming through VPN connections UNLESS they are allowed in the interface ACL of "outside" interface.
Hope I made any sense
Naturally ask more if needed
- Jouni

AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
Jo

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

Cisco ASA - 2 Site to Site routes needed for failover -Is possible?

3 physical sites. 2 ASA 5510 (routing mode_). 3rd site is in between ASA sites. 2 different connections. Depending on which link goes down, a certain set of Network Lists for Site to Site VPN is needed to place the 3rd site subnets where they belong depending on which link dies. The tunnels all work. Here is my wonder: Can I automate this somehow in my environment (all Cisco 3750/3560/2960) so that I can leave both tunnels in place so that if either link dies, the appropriate tunnel is picked for failover? Running 8.03 code on ASA. Using EIGRP (love that protocol). Anyone have any ideas?

You can implement failover or loadbalancing . Use this configuration examples for your configurations.
http://cisco.com/en/US/products/ps6120/tsd_products_support_configure.html

Good CCIE question: Can multiple site-2-site VPNs support dynamic routing protocols?

Hi All,
Was not sure if this should be posted in LAN routing, WAN routing or VPN forums: I have posted here as the VPN tunnels are the limiting factors...
I am trying to understand if it is possible to have dynamic routing between LANs when using site to site VPNs on three or more ASA55x5-x (9.0).
To best explain the question I have put together an example scenario:
Lets say we have three sites, which are all connected via a separate site-2-site IKEv2 VPNs, in a full mesh topology (6 x SAs).
Across the whole system there would be a 192.168.0.0/16 subnet which is divided up by VLSM across all sites.
The inside / outside interfaces of the ASA would be static IPs from a /30 subnet.
Routing on the outside interface is not of concern in this scenario.
The inside interface of the ASA connects directly to a router, which further uses VLSM to assign additional subnets.
VLSM is not cleanly summarised per site. (I know this flys against VLSM best practice, but makes the scenario clearer...)
New subnets are added and removed at each site on a frequent basis.
EIGRP will be running on each core router, and any stub routers at each site.
So this results in the following example topology, of which I have exaggerated the VLSM position:
(http://www.diagram.ly/?share=#OtprIYuOeKRb3HBV6Qy8CL8ZUE6Bkc2FPg2gKHnzVliaJBhuIG)
Now, using static route redistribution from the ASAs into EIGRP and making the ASAs to be an EIGRP neighbour, would be one way. This would mean an isolated EIGRP AS per site, but each site would only learn about a new remote subnet if the crypto map match ACL was altered. But the bit that I am confused over, is the potential to have new subnets added or removed which would require EIGRP routing processes on the relevant site X router to be altered as well as crypto map ACLs being altered at all sites. This doesn't seem a sensible approach...
The second method could be to have the 192.168.0.0/16 network defined in the crypto map on all tunnels and allow the ASAs routing table to chose which tunnel to send the traffic over. This would require multiple neighbours for the ASA, but for example in OSPF, it can only support one neighbour over a S2S VPN when manually defined (point-to-point). The only way round this I can see is to share our internal routing tables with the IP cloud, but this then discloses information that would be otherwise protected by the IPSEC tunnel...
Is there a better method to propagate the routing information dynamically around the example scenario above?
Is there a way to have dynamic crypto maps based on router information?
P.S. Diagram above produced via http://www.diagram.ly/

Hi Guys,
Thanks for your responses! I am learning here, hence the post.
David: I had looked in to the potential for GRE tunnels, but the side-effects could out weight the benifits. The link provided shows how to pass IKEv1 and ISAKMP traffic through the ASA. In my example (maybe not too clear?) the IPSEC traffic would be terminated on the ASA and not the core router behind.
Marcin: Was looking at OSPF, but is that not limited to one neighbour, due to the "ospf network point-to-point non-broadcast" command in the example (needed to force the unicast over the IPSEC tunnel)? Have had a look in the ASA CLI 9.0 config guide and it is still limited to one neighbour per interface when in point-to-point:
ospf network point-to-point non-broadcastSpecifies the interface as a point-to-point, non-broadcast network.When you designate an interface as point-to-point and non-broadcast, you must manually define the OSPF neighbor; dynamic neighbor discovery is not possible. See the "Defining Static OSPFv2 Neighbors" section for more information. Additionally, you can only define one OSPF neighbor on that interface.
Otherwise I would agree it would be happy days...
Any other ideas (maybe around iBGPs like OSPF) which do not envolve GRE tunnels or terminating the IPSEC on the core router please?
Kindest Regards,
James.

Dynamic routing through VPN on ASA

I have an environment with multiple remote offices connecting to the an ASA at the core. Currently we create seperate IPSec tunnels to each subnet that the remote office needs to connect to. We would like to enable dynamic routing to allow access to all the networks through one tunnel. The SOHO routers at the remote sites will support RIP V1 and V2. Can I enable RIP in my ASAs in a way that will propogate only the routes coming through the VPN tunnels? I can then redistribute them through EIGRP in my core routers.
Thanks

Erick,
I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.
I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?
Brent

What is the preferred dynamic routing over l2l/ipsec?

what is the preferred dynamic routing over l2l/ipsec?
Sent from Cisco Technical Support iPhone App

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Pretty much what you might use if not IPSec.
Do you have some reason why IPSec should have a preferred routing protocol or are you just wondering if there is a preferred routing protocol for IPSec?

ASA with Multiple dynamic L2L VPN

I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
Claudio

Hi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni

Want to configure BACKUP VPN in asa 5505 for failover link

Hi,
Current i'm having 2 isps one tata and another one reliance iwant to configure the backup vpn for reliance ip for same peer ip which tata vpn had configured
i mandatory to configure same SA,ENCRPTION,IPSEC POLICY,KEY,LIFETIME...etc for failover vpn also.

Hi michael,
First of thanks for reply.
Can we do it by public certificate or DNS entry e.g. both ISP Public ip address entry will be in DNS and user will hit particular DNS name. You r right that once link down so user will disconnect but when he will retry then he will connect via another link.
Is it possible??
Ashish

Best VPN Firewall Router for iPhone

Hi,
I am looking for opinions regarding VPN routers that will let me connect with the iphone. I'm setting up an office computer network with about 10-20 computers and plan to tunnel in with iphone and macbook when away from office.
Also, I am looking at a second location, so the ability to have a router to router VPN between two separate office would be a big plus!
Thank you,
Jake
iphone version 3.13

This seems to be a topic that is not easy to answer. Why? There are a lot of variables. Seems like iPhone supports ipsec/l2tp/pptp but when I tried to connect to a pix506e using ipsec/udp (NAT-T) it just kept failing even though I knew all the settings are right. If you are looking for a cheap solution like a cisco small office router/ or a open source firmware for a wifi router, no luck. Cisco ones support some "easy" vpn solution, or a router to router vpn, and the dd-wrt or tomato variant mostly support open vpn or pptp (but I am still researching the pptp right now). Best bet is a VPN appliance like a cisco asa or a sonicwall. you get what you pay for and you should get support as well. AN asa 5510 will do it. or one of the sonicwall units should work.

Dynamic Routing with VPN and multiple Peers

I have several sites that connect to my primary host site (ASA5525-X) via LAN to LAN tunnels and currently all internal host routing is static. I need to implement a backup host site (ASA5520) for the remote sites to connect to. I know that I can add additional peers on each remote site for the host sites. However, I need to be able to do dynamic routing, so that if does not matter which site they are connected to the internal networks will learn where to route the traffic. I am running OSPF on my internal networks at both Primary and Backup host sites and they have an internal connection between the two sites.
Is there a way to accomplish this on the ASAs?
Thanks,
Doug

To make perhaps my question a little more clear, this is an example of how I would the result to look like
http://www.latitudes.co.uk/dept_search_pages/search_provence.php
where the labels with the checkboxes are retrieved from the 'category' table and when one or more boxes are ticked, the corresponding values are used to make the selection in the WHERE statement in the MySQL query.
Hope someone can help me out.
Erik

Dynamic Routing for Failover L2L VPN

Similar Messages

Maybe you are looking for