[c-nsp] Route or Tunnel?

Vijay Ramcharan vramcharan at totality.com
Fri Jul 21 13:22:13 EDT 2006 

Phil, thanks for your response. 
The backup tunnel will be via the Internet. Sorry that was not in the
original ASCII diagram I sent.  
So, both the ASA and the router will have a common subnet by which they
can get to the Internet. 
This common subnet is the LAN interface of a DSL modem. 
So if the T1 is up, use it, otherwise get to the Main office via a VPN
tunnel. 

I did some other research into this and came up with the possibility of
using a GRE over IPSec tunnel on the Router at the branch office and at
the main office. 

See
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a008009438e.shtml 
I think it should work as the only VPN traffic I'd match in the
crypto-map would be GRE encapsulated traffic between the branch office
router and the main office router. There shouldn't be any crypto-map
ACLs matching actual subnets that exist on each end. All that I'd need
to match would be traffic that's GRE encapsulated. 
I will have to test this to be sure though. 
What do you think? 
 
The revised setup is (pardon my ASCII doodle): 
 
				INTERNET
				|
				|
				[DSL Modem]
				|
				|
			--------------
  			|		| 
			|		|
[branch office] ->[ASA]		[Router]- - -T1- -> Main office 

		  
 
Vijay Ramcharan  
 
-----Original Message-----
From: Phil Bedard [mailto:philxor at gmail.com] 
Sent: Friday, July 21, 2006 12:31 PM
To: Vijay Ramcharan
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Route or Tunnel?

I would think you'd need to use two different interfaces since the
crypto map is defined on the actual interface and the traffic would
obviously have the same source/destination IPs.    It would be easier
with IPSEC Tunnel interfaces, just higher metric static route would be
needed, but you have an ASA.   
 
I guess my question is what is the backup tunnel going to fix if those
routes aren't reachable via OSPF and the tunnel traverses the same T1?
What failure condition have you seen that this would solve the problem?

 
Phil 

 
On 7/20/06, Vijay Ramcharan <vramcharan at totality.com> wrote: 

	Hi all,
	
	Is it possible to have a Cisco ASA 5510 only use a locally
configured
	LAN to LAN tunnel (existing on the ASA itself) if it loses a
dynamic 
	route learnt via OSPF from a neighboring router. The neighboring
router
	has a point-to-point circuit to the same remote site as the
ASA's L2L
	tunnel.
	
	Here's the setup:
	
	[branch office] -> [ASA] -> [Router]- - -T1- -> Main office 
	
	The L2L tunnel on the ASA goes to a VPN concentrator at the Main
office.
	The L2L tunnel to the Main office is configured on the ASA but
should
	only be used if the dynamic route from the router goes away.
	
	Thanks
	
	Vijay Ramcharan
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
<https://puck.nether.net/mailman/listinfo/cisco-nsp> 
	archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list