PLease take a look at the attached JPG.
What I need to be able to set up is a scenario where if the LES goes down, routing between the subnets is automatically achieved by the VPN tunnel configured between the ASA devices (I haven't actually configured it yet, but I'm comfortable with this part).
Additionally, if the Internet connection goes down at either site, I need Internet traffic to be re-routed to the alternative ASA via the LES circuit.
I can provide configs if necessary, but they are fairly standard. The query is not how to execute this as I'm quite comfortable with configruing ASA's and Catalysts (I think) but more around the design aspect.
1. Can this be done with the equipment shown here.
2. Can someone point me towards some relevant examples (I can't find any).
My initial thoughts were:
- Set the default gateway to be the switches at each site (.250 HSRP address)
- Set up an RTR / TRACK to send pings to a known device on each of the alternate networks
- If the RTR fails, then re-route to the ASA using a secondary route statement
For the Internet failover.
- Have a separate RTR pinging google or bbc or something on each of the switches.
- When that RTR fails, send traffic over the LES switch port instead of redirecting it to the ASAs
My only thoughts about this are that, of course, with HSRP setup, both subnets are directly connected to each of the Switches, so how do I go about enforcing a route statement and an ICMP redirect through to the ASA at each site - is there a value I can assign this, or some command I can execute that will ignore the directly connected VLANs and route externally?
We set up the LES with HSRP and Inter-VLan routing on both switches as, if I am honest, I couldn't get the Catalysts to route using switchports in the standard manner (i.e. like a router). So for instance, sending any traffic for 192.168.70.0/24 over switchport 1 on 192.168.60.251 and vice-versa on the alternate switch 192.168.70.251 didn't work for some reason. I spent ages trying to figure this, and eventually realised that HSRP with both VLANs present at each site was actually a better way to set it up anyway, however now I'm presented with this additional challenge.
Any pointers on the design greatly appreciated.
I should add that the ASAs are running 8.3(1) and I read that these now support ICMP redirects, however actually trying to get them to issue ICMP redirects seems to be a bit of a black art! I wonder if what the documentation means is that the ASAs themselves will accept ICMP redirects and route accordingly.? Any clues as to this greatly appreciated.