Home office WAN/VPN failover (Cisco ASA) - design
Posted on 2012-04-08
A customer is looking for an improved home teleworker solution beyond the current point-to-point T1 data connections to the main office. The plan is to deploy a secondary connection to each home over broadband cable (over Mediacom/US), and have this higher-speed link provide the primary connection over VPN. If this connection drops, they'd like the existing T1 connection to serve as the backup, and have connectivity immediately fail-over.
The main office is currently being served by a Cisco ASA 5520, and an ASA 5505 can be deployed at each home office to provide for the VPN connection over the cable connection. The existing connection looks like this:
Main --- T1 router ------WAN------- T1 router ----Home
Adding an ASA to this at the home office would possibly look like the following:
Main --- T1 router ------ WAN ------T1 router ----ASA ----home PC
---- ASA ------------ Internet ---------------Cable modem
So, the new ASA at the home office would front both the T1 (non-VPN) connection as well as the VPN connection over the new cable connection. I need to resolve the following questions:
1) Will the above design work? Can an ASA be configured to send all data over a VPN connection, and then somehow when the VPN drops, start sending data over the unencrypted T1 WAN connection? (Plus, failing back to the cable connection when it becomes available once more...)
2) If so, looking for some configuration guidance for the ASA on how this would be accomplished.
Thank you - reference links/docs are always appreciated.