Solved

Home office WAN/VPN failover (Cisco ASA) - design

Posted on 2012-04-08
5
396 Views
Last Modified: 2014-06-09
A customer is looking for an improved home teleworker solution beyond the current point-to-point T1 data connections to the main office. The plan is to deploy a secondary connection to each home over broadband cable (over Mediacom/US), and have this higher-speed link provide the primary connection over VPN. If this connection drops, they'd like the existing T1 connection to serve as the backup, and have connectivity immediately fail-over.

The main office is currently being served by a Cisco ASA 5520, and an ASA 5505 can be deployed at each home office to provide for the VPN connection over the cable connection. The existing connection looks like this:

      Main --- T1 router ------WAN------- T1 router ----Home

Adding an ASA to this at the home office would possibly look like the following:

     Main --- T1 router ------ WAN ------T1 router ----ASA ----home PC
          |                                                                      |  
           ---- ASA ------------ Internet ---------------Cable modem

So, the new ASA at the home office would front both the T1 (non-VPN) connection as well as the VPN connection over the new cable connection.  I need to resolve the following questions:

1) Will the above design work?  Can an ASA be configured to send all data over a VPN connection, and then somehow when the VPN drops, start sending data over the unencrypted T1 WAN connection?  (Plus, failing back to the cable connection when it becomes available once more...)

2) If so, looking for some configuration guidance for the ASA on how this would be accomplished.

Thank you - reference links/docs are always appreciated.
0
Comment
Question by:cfan73
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
rscottvan earned 500 total points
ID: 37823374
Here's an article describing how to configure the WAN failover:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

I'm thinking you can just create a tunnel on the cable side and route traffic to it, and let traffic drop when you route over the T1, since it's private.  If you need a tunnel on both sides, just build 2 tunnels, and set up the routing to send traffic to the cable tunnel first, then the T1 tunnel if the cable connection drops.

Here's another article with a VPN as well:
http://www.petenetlive.com/KB/Article/0000544.htm
0
 

Author Comment

by:cfan73
ID: 37826003
Thanks for the response.

I've seen the first document before, and the current situation differs in that the backup circuit  is not a 2nd Internet service provider, but a direct WAN connection back to the main site. (Thus, it's already there and terminated by a local 1721 router, and wouldn't have to pass through the new 5505 ASA.)  I'm not sure if this changes the design/configuration, but it might...

Would this work?:

- Configure IP SLA across the new (VPN) connection to the outside interface of the head-end ASA, with link tracking.
- Configure a default route on the ASA to this same interface IP.
- Configure static route(s) on the ASA w/ a higher administrative distance (so, floating)
to the remote nets over the T1 WAN connection.

Thanks again
0
 

Author Comment

by:cfan73
ID: 37840856
bump for additional input?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40121905
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question