Internet Failover from T-1 to Cable Connection


 Was wondering if it's possible to do the following:

A remote site has a T-1 connection running a LAN to LAN VPN to our main site from ASA5510  to ASA 5510. (Internally we have a 2600 series switch). In the event this connection goes down - we would like to configure a business class cable internet connection for failover. Cable company provides a modem - connection to an 800 series router (all manged by them). Is there any way, through routing policy or something, that I can have the ASA failover the VPN over from the T-1 to the business internet connection automatically in the event of a T-1 outage?  

At the very least, can i have individual users failover via ANYCONNECT VPN if I can get the business class cable connection to be live on the network?  

I guess I am wondering if the ASA can handle 2 connections and can handle failover (and retain the IPSEC tunnel in the process).  If not, can I at least retain internet access (even if I have to kickstart the VPN tunnel). I have been told I can put the cable connection in bridged mode?

Any help?  Thanks!

PS - I CAN get a router if I need to... I have a 2800 series to spare. AND I have a second ASA 5510 to spare.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kmk2123Author Commented:
Also forgot to mention that we have private IP space from ARIN. I can use a dedicated /24 if need be.

The ASA can failover from a primary ISP to a secondary ISP.        Cisco has a HOW to on it right here:

Please note that you need to have at least the version indicated 7.x.    And you need to have a 5510 or better.    

When the failover happens, only outbound traffic will function.    Inbound traffic will still be trying to hit the ip block from the original ISP.   This includes  Anyconnect clients on the outside.          All Site to Site IPSEC tunnels will not function since the Peer IP of your ASA will change to reflect the secondary ISP configuration.     The only way around the site to site issue is to use a dynamic to static VPN tunnel where this side is dynamic and the remote end is static.    The cons...  only this side can initiate the tunnel, the other side can not.
kmk2123Author Commented:
Gotcha - so just to be clear. The VPN tunnel would have to be initiated from the Remote site (rather than my main site)? MAIN SITE: STATIC -------> REMOTE SITE DYNAMIC?

However, could I not set the ASA device to use my own /24 from Arin? Although I would assume on the ASA WAN side, it would need the provider IP's, not my own...
Whichever side of the VPN will be implementing the ISP failover would have to be dynamic.   Since it could try to establish a VPN tunnel from either the primary ISP IP or the secondary ISP IP.  The remote side would have to have the static

On the ASA WAN side, it would need to use the routable IP provided by the ISP.   I don't recall seeing a setup like this except with a managed router in between the ASA and the ISP....  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.