Cisco ASDM config with MPLS & backup site to site VPN

Hi -

I currently have 5 locations with identical setups:

Cisco ASA 5510 8.4(5) ASDM 7.1(1)52
primary circuit 100mbps fiber (with site-to-site MPLS)
backup circuit 100/50mbps cable
addt'l circuit 20/5mbps cable

Currently, we're running site-to-site VPNs from each site to every other site.  I created an MPLS route to one other site.  I could ping their MPLS gateway, but could not get to anything beyond that.  I've since removed that route.

My ideal setup, at each site, would look like this:

primary circuit 100mbps (with MPLS site-to-site connectivity) - if this fails:
use the backup circuit (100/50mbps cable) to provide DIA and site-to-site connectivity via VPN
alternative circuit for spillover or for guest internet access
emeka57Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
Hi there.

This can be achieved. I am using type of setup. The thing to remember is that the routing decision takes place before the IPsec decision/rules. The overview is as follows.

Routing setup:

The easiest thing to do is read out the routing tables from your MPLS provider if they can set that up for you. If not, setup static routes using SLA monitoring to ping the remote site MPLS router. This then routes the traffic via one interface or the other.

VPN setup:

Configure the VPN on each interface you want to encrypt traffic on. You can configure encryption on one or both egress interfaces according to the company requirements.

It's not too much additional config per firewall if you want to encrypt the traffic on both egress interfaces.

Depending on how your company is looking to grow the VPN config will get increasingly complex.

We currently have approx. 30 sites and our VPN config runs to hundreds of lines for each firewall. Cisco produce a management tool call Cisco Security Manager. This makes setting up the VPN rules a breeze. You just add a firewall and tell it which subnets to encrypt and it generates the config and deploys it to each firewall for you.

let me know if you need detailed config commands.
0
emeka57Author Commented:
Yes. Can you assist me in setting this up via ASDM?  
What do I need to request from my ISP? Routing tables?
0
InteraXCommented:
I presume you have a routed VPN. Can the ISP publish their routes for the MPLS via a routing protocol, eg. RIP/OSPF? If not, we're going to need to use routes with and SLA monitor. eg.

route MPLS 192.168.0.0 255.255.254.0 172.31.0.1 1 track 6
route MPLS 192.168.2.0 255.255.255.0 172.31.0.1 1 track 6
track 6 rtr 1680 reachability
sla monitor 1680 type echo protocol ipIcmpEcho 172.31.1.1 interface MPLS

Once you've done this, you apply a standard IPsec VPN config. Have you done that before?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

InteraXCommented:
Sorry, I should have explained the command line config. There will be options in ASDM to create the SLA monitor when creating the routes.

If packets are destined for 192.168.0.0/23 & 192.168.2.0/24 traffic will be routed via any other route due to the metric being 1. This will only happen if track 4 is OK. Track 6 calls SLA monitor 1680. SLA Monitor 1680 send pings out of interface MPLS to address 172.31.1.1 via 172.31.0.1.

This assumes that 172.31.1.1 and 172.31.0.1 are the MPLS gateway routers.

If these routes get removed from the routing table, the packets will get routes out the interface with the next best route, falling back to the default route if necessary.

To configure the VPN see http://www.petenetlive.com/KB/Article/0000072.htm.
0
emeka57Author Commented:
I'm familiar with configuring site-to-site VPNs.  What I am unclear to is the following:

a. creating routes for MPLS traffic over my MPLS gateway
b. making the site-to-site the failover is MPLS fails

All using ASDM 8.4(5)
0
InteraXCommented:
The cli above will create the routes you need with the SLA monitors. This will put the relevant routes in the routing table whilst the remote device is up. If the remote device is down or does not respond to pings, the routes will be removed from the routing table.

I should note that reviewing the syntax above there is an additional 2 line to add that may help make it easier to understand.

route outside 0.0.0.0 0.0.0.0 10.0.0.1
route MPLS 192.168.0.0 255.255.254.0 172.31.0.1 1 track 6
route MPLS 192.168.2.0 255.255.255.0 172.31.0.1 1 track 6
route MPLS 172.31.1.1 255.255.255.255 172.31.0.1 1 track 6
track 6 rtr 1680 reachability
sla monitor 1680 type echo protocol ipIcmpEcho 172.31.1.1 interface MPLS

In the above, the default route is out of the outside interface via 10.0.0.1.

There are also routes out the MPLS interface to networks 192.168.0.0/23, 192.168.2.0/24 and 172.31.1.1/32 via 172.31.0.1. The routes are only inserted into the routing table if the remote address 172.31.1.1 is responding to ping packets via 172.31.0.1 on the MPLS interface. If the remote address does not respond to ping packets the routes are removed from the routing table.

You then need to setup the VPN on the outside interface.

In normal working, traffic for 192.168.0.0/23, 192.168.2.0/24 and 172.31.1.1/32  will be routed via the MPLS. When something goes wrong on the MPLS, the remotes are removed and will use the default route. Then, because the VPN is setup on the outside interface the traffic will be encrypted.

Whilst I cannot direct you what to do to create the SLA monitors in ASDM, the option will be in the window where you add routes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.