route IF primary connection fails 1

[nelifecare]

OK. Here it goes. I'm writing this since I am still waiting from a vendor on this setup and want to see if anyone here can assist.

2 sites.

Each site's gateway is a 3560G.

Each site has as ASA for Internet

Site A has a 2811 with WIC-T1

Site B has a 1841 with WIC-T1

Site A and B are currently defaulted to use a VPN between the 2 for their primary connection. (Greater bandwidth)

Site A and B also are connected via the 1841 and 2811 with a private circuit. (Secondary)

What I would like to happen is IF the primary connection fails traffic is routed over the secondary connection automatically then faiback once the primary link is back up.

The vendor is playing around with IP SLA icmp-echo commands along with the track command.

This isn't working. Does anyone have any good examples of a similar setup that I may reference.

Thanks

 

[unclerico]

i'm assuming that the sla monitor is setup on each 3560?? if so, what ip address is each setup to ping??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Switch A:

track 1 rtr 1 reachability
ip subnet-zero
ip routing
!
ip sla 1
icmp-echo 10.255.255.2
timeout 500
frequency 3
ip sla schedule 1 life forever start-time pending

interface Loopback10255
ip address 10.255.255.1 255.255.255.255

router ospf 100
log-adjacency-changes
redistribute connected
network 192.168.1.0 0.0.0.255 area 0

ip route 192.168.40.0 255.255.255.0 192.168.1.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.11
ip route 192.168.40.0 255.255.255.0 192.168.1.2 254



Switch B:

track 1 rtr 1 reachability
ip subnet-zero
ip routing
!
ip sla responder
ip sla 1
icmp-echo 10.255.255.1
timeout 500
frequency 3
ip sla schedule 1 life forever start-time pending

interface Loopback10255
ip address 10.255.255.2 255.255.255.255

router ospf 100
log-adjacency-changes
redistribute connected
network 192.168.40.0 0.0.0.255 area 0
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.40.11 track 1
ip route 0.0.0.0 0.0.0.0 192.168.40.11
ip route 192.168.1.0 255.255.255.0 192.168.40.2 254

 

[unclerico]

i see you're using ospf, why don't you just use that to detect the failure??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

How would I use OSPF to detect the failure?

I want my primary connection to go via VPN and the secondary to go Point-To-Point.

In the past we had this the other way around using OSPF and it work great. Now that I want it the other way around my vendor is still trying to figure out how.

 

[unclerico]

you need to run OSPF across the VPN tunnel as well as the PtP and tweak the metric to choose the VPN route

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

How would I do that?

 

[unclerico]

the vpn terminates on the ASA's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Yes. VPNs terminate on ASAs.

 

[unclerico]

ok, if you aren't familiar with how to run OSPF over a L2L tunnel follow this document:

http://www.cisco.com/en/US/customer...s_configuration_example09186a00804acfea.shtml

once you have that setup verify that the VPN routes are in the routing table. if they're not then you're going to need to go under the LAN interface on each PtP router and adjust the cost by adding ip ospf cost <number>. The number needs to be something that will make the cost of the PtP routes higher than the cost that is being reported by the ASA's.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

OK. I've attempted to setup OSPF over VPN and I cannot complete 100%. Half is up.

Site A

sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.40.11 1 INIT/ - 0:00:38 173.13.72.149 Outside
192.168.1.2 1 FULL/DROTHER 0:00:32 192.168.1.2 Inside
192.168.1.1 1 FULL/BDR 0:00:32 192.168.1.1 Inside


Site B:

sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.40.2 1 FULL/BDR 0:00:31 192.168.40.2 inside
10.255.255.2 1 FULL/DR 0:00:38 192.168.40.1 inside
N/A 0 DOWN/ - - 24.39.38.125 outside





Site A Config:

: Saved
: Written by enable_15 at 10:25:54.216 EST Thu Jan 7 2010
!
ASA Version 8.0(4)
!
terminal width 200
hostname SITEA
domain-name xxxx.org
enable password ********* encrypted
passwd ********** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xx.xx.x8.125 255.255.255.240
ospf cost 10
ospf network point-to-point non-broadcast
!
interface Ethernet0/1
speed 100
duplex full
nameif Inside
security-level 99
ip address 192.168.1.11 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 192.168.1.21
name-server 192.168.1.31
domain-name xxxx.org
same-security-traffic permit intra-interface
object-group service Citrix tcp
description Open ports 80,443,442,1492,8088
port-object eq 442
port-object eq citrix-ica
port-object eq 8088
port-object eq www
port-object eq https
object-group network CitrixServers
description All Citrix Servers
network-object 192.168.1.38 255.255.255.255
network-object 192.168.1.39 255.255.255.255
network-object 192.168.1.40 255.255.255.255
network-object 192.168.1.41 255.255.255.255
network-object host 192.168.1.42
object-group network CorpDVS
network-object host xx.xx.xx.185
network-object host xx.xx.xx.252
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.2.10
network-object host 192.168.2.50
object-group network Internal_DNS_Servers
network-object host 192.168.1.21
network-object host 192.168.1.31
object-group service DM_INLINE_TCP_1 tcp
port-object eq 444
port-object eq https
object-group network DM_INLINE_NETWORK_3
network-object 192.168.1.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 192.168.1.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
network-object 192.168.60.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object host xx.xx.x8.114
network-object host xx.xx.x8.122
object-group network DM_INLINE_NETWORK_2
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object host 10.255.255.2
network-object 192.168.40.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host xx.xx.x8.114 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.116 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x8.116 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.115 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.115 eq www
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_5 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x8.121 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x8.118 eq https
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any host xx.xx.x8.120 eq https
access-list Outside_access_in extended permit tcp object-group CorpDVS host x.x.x8.117 eq 3389
access-list Outside_access_in extended permit tcp host x.x.x.138 host xx.xx.x8.121 eq 26
access-list Outside_access_in extended permit tcp any host xx.xx.x8.119 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x8.119 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.124 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x8.123 object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.32 eq smtp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.32 eq smtp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.21 eq 3268
access-list DMZ_access_in extended permit udp host 192.168.2.20 host 192.168.1.21 eq ntp
access-list DMZ_access_in extended permit tcp host 192.168.2.20 host 192.168.1.44 eq ftp
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.21 eq 3268
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group CitrixServers object-group Citrix
access-list DMZ_access_in extended permit ip host 192.168.2.50 host 192.168.1.135
access-list DMZ_access_in extended permit udp host 192.168.2.10 host 192.168.1.21 eq ntp
access-list DMZ_access_in extended permit udp 192.168.2.0 255.255.255.0 object-group Internal_DNS_Servers eq domain
access-list DMZ_access_in extended permit udp 192.168.2.0 255.255.255.0 host 192.168.1.4 eq snmp
access-list DMZ_access_in extended permit icmp 192.168.2.0 255.255.255.0 any
access-list DMZ_access_in extended permit tcp host 192.168.2.10 host 192.168.1.49 eq 1433
access-list DMZ_access_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 10.255.255.2
access-list Inside_nat0_outbound extended permit ip host 10.255.255.1 192.168.40.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Outside_100_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Outside_100_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 172.16.1.0 255.255.255.224
access-list Outside_80_cryptomap extended permit ospf interface Outside host xx.xx.x2.149
access-list Outside_80_cryptomap extended permit ospf interface Outside xx.xx.x2.144 255.255.255.248
access-list Outside_80_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_6
access-list Outside_80_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Outside_80_cryptomap extended permit ip object-group DM_INLINE_NETWORK_7 host 10.255.255.2
access-list DMZ_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list DMZ_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 100000
logging asdm-buffer-size 512
logging console informational
logging buffered critical
logging asdm critical
logging from-address
logging recipient-address level errors
logging host Inside 192.168.1.22
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool RegionalVPN 172.16.1.1-172.16.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 xx.xx.x8.126
global (Outside) 100 xx.xx.x8.124
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.0.0 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 192.168.2.0 255.255.255.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (Inside,Outside) xx.xx.x8.117 192.168.1.17 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.119 192.168.1.105 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.118 192.168.1.32 netmask 255.255.255.255
static (Inside,Outside) xx.xx.x8.120 192.168.1.33 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.122 192.168.2.20 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.114 192.168.2.10 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.121 192.168.2.11 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.116 192.168.2.12 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.115 192.168.2.13 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.124 192.168.2.14 netmask 255.255.255.255
static (DMZ,Outside) xx.xx.x8.123 192.168.2.50 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
!
router ospf 100
network xx.xx.x8.112 255.255.255.240 area 0
network xx.xx.x2.144 255.255.255.248 area 0
network 192.168.1.0 255.255.255.0 area 0
neighbor xx.xx.x2.149 interface Outside
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 24.39.38.113 1
route Inside 10.255.255.1 255.255.255.255 192.168.1.1 1
route Outside xx.xx.x2.149 255.255.255.255 24.39.38.113 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:10:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 192.168.1.21 protocol radius
aaa-server 192.168.1.21 (Inside) host 192.168.1.21
key ************
radius-common-pw ************
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl unused
reval-period 36000
sq-period 300
http server enable
http 0.0.0.0 0.0.0.0 Inside
snmp-server host Inside 192.168.1.4 community ******
snmp-server location ********
snmp-server contact *******
sysopt connection preserve-vpn-flows
sysopt noproxyarp Inside
sysopt noproxyarp DMZ
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer xx.xx.x7.157
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer xx.xx.x0.210
crypto map Outside_map 60 set transform-set ESP-3DES-MD5
crypto map Outside_map 60 set security-association lifetime seconds 28800
crypto map Outside_map 60 set security-association lifetime kilobytes 4608000
crypto map Outside_map 80 match address Outside_80_cryptomap
crypto map Outside_map 80 set pfs
crypto map Outside_map 80 set peer xx.xx.x2.149
crypto map Outside_map 80 set transform-set ESP-3DES-MD5
crypto map Outside_map 80 set security-association lifetime seconds 28800
crypto map Outside_map 80 set security-association lifetime kilobytes 4608000
crypto map Outside_map 100 match address Outside_100_cryptomap
crypto map Outside_map 100 set pfs
crypto map Outside_map 100 set peer xx.xx.x4.2
crypto map Outside_map 100 set transform-set ESP-3DES-MD5
crypto map Outside_map 100 set security-association lifetime seconds 28800
crypto map Outside_map 100 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh timeout 15
console timeout 30
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.21
webvpn
enable Outside
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.1.21
dns-server value 192.168.1.21 192.168.1.31
vpn-tunnel-protocol IPSec
pfs enable
default-domain value xxxx.org
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy webvpn internal
group-policy webvpn attributes
vpn-tunnel-protocol webvpn
webvpn
group-policy nevpn internal
group-policy nevpn attributes
vpn-tunnel-protocol IPSec
group-policy SOHO internal
group-policy SOHO attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
smartcard-removal-disconnect enable
group-policy Laptops internal
group-policy Laptops attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key ************
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group 192.168.1.21
default-group-policy webvpn
tunnel-group xx.xx.x7.157 type ipsec-l2l
tunnel-group xx.xx.x7.157 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x3.53 type ipsec-l2l
tunnel-group xx.xx.x3.53 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x0.210 type ipsec-l2l
tunnel-group xx.xx.x0.210 ipsec-attributes
pre-shared-key ************
tunnel-group nevpn type remote-access
tunnel-group nevpn general-attributes
address-pool RegionalVPN
authentication-server-group 192.168.1.21
default-group-policy nevpn
tunnel-group nevpn ipsec-attributes
pre-shared-key ************
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 general-attributes
default-group-policy SOHO
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key ************
isakmp keepalive threshold 20 retry 5
tunnel-group xx.xx.x4.2 type ipsec-l2l
tunnel-group xx.xx.x4.2 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x5.117 type ipsec-l2l
tunnel-group xx.xx.x5.117 ipsec-attributes
pre-shared-key ************
tunnel-group xx.xx.x2.149 type ipsec-l2l
tunnel-group xx.xx.x2.149 ipsec-attributes
pre-shared-key ************
tunnel-group-map default-group DefaultL2LGroup
!
class-map sip-port
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
inspect dns preset_dns_map
inspect ipsec-pass-thru
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1500
policy-map sip_policy
class sip-port
inspect sip
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
!
service-policy global_policy global
smtp-server 192.168.1.27
prompt hostname domain context
Cryptochecksum:e7fd369cfb6bb1d12da7db465bdc687b
: end




Site B Config:


ASA Version 8.0(4)
!
hostname SITEB
domain-name xxxx.org
enable password ****** encrypted
passwd ****** encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.40.11 255.255.255.0
ospf cost 10

interface Vlan2
nameif outside
security-level 0
ip address xx.xx.x2.149 255.255.255.248
ospf cost 10
ospf network point-to-point non-broadcast
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT 5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.40.9
domain-name nelifecare.org
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 10.255.255.2
network-object 192.168.40.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 10.255.255.1
network-object 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 10.1.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.20.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.30.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list no_nat extended permit ip host 10.255.255.2 host 10.255.255.1
access-list no_nat extended permit ip host 10.255.255.1 host 10.255.255.2
access-list no_nat extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
access-list no_nat extended permit ip host 10.255.255.2 192.168.1.0 255.255.255.0
access-list no_nat extended permit ip any 172.16.40.0 255.255.255.0
access-list VPN_Client_In extended permit ip any 172.16.40.0 255.255.255.224
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN_To_Regional extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list VPN_To_Regional extended permit ospf interface outside host xx.xx.x8.125
access-list acl_outside extended permit icmp any any
access-list outside_20_cryptomap extended permit ospf interface outside host xx.xx.x8.125
access-list outside_20_cryptomap extended permit ospf interface outside xx.xx.x8.112 255.255.255.240
access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list Outside_access_in extended permit tcp any host xx.xx.x2.146 eq smtp
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq https
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq www
access-list Outside_access_in extended permit tcp any host xx.xx.x2.147 eq 444
access-list Outside_access_in extended permit icmp any any
access-list outside_cryptomap_dyn_10 extended permit ip any 172.16.40.0 255.255.255.192
access-list Outside_20_cryptomap extended permit ip host 10.255.255.2 host 10.255.255.1
access-list Outside_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host 10.255.255.1
pager lines 24
logging enable
logging buffer-size 16384
logging buffered debugging
logging asdm errors
logging facility 16
logging host inside 192.168.40.100
mtu inside 1500
mtu outside 1500
ip local pool VPN_Client_In 172.16.40.10-172.16.40.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xx.xx.x2.148 netmask 255.255.255.255
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.x2.147 192.168.40.18 netmask 255.255.255.255
static (inside,outside) xx.xx.x2.146 192.168.40.17 netmask 255.255.255.255
access-group Outside_access_in in interface outside
!
router ospf 100
network xx.xx.x8.112 255.255.255.240 area 0
network xx.xx.x2.144 255.255.255.248 area 0
network 192.168.40.0 255.255.255.0 area 0
neighbor xx.xx.x8.125 interface outside
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 xx.xx.x2.150 1
route outside 10.1.100.0 255.255.255.0 192.168.1.66 1
route inside 10.255.255.2 255.255.255.255 192.168.40.1 1
route outside xx.xx.x8.125 255.255.255.255 xx.xx.x2.150 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ATTIS protocol radius
aaa-server ATTIS (inside) host 192.168.40.9
key ******
http server enable
http 192.168.0.0 255.255.0.0 inside
snmp-server host inside 192.168.1.4 community ******
snmp-server location 192.168.40.0
snmp-server contact helpcenter@xxx.org
sysopt connection preserve-vpn-flows
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xx.xx.x8.125
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer xx.xx.x4.2
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer xx.xx.x0.210
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 60
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.40.9 source inside prefer
group-policy neVPN internal
group-policy neVPN attributes
wins-server value 192.168.40.9 192.168.1.21
dns-server value 192.168.40.9 192.168.1.21
vpn-tunnel-protocol IPSec
default-domain value xxx.org
tunnel-group xx.xx.x8.125 type ipsec-l2l
tunnel-group xx.xx.x8.125 ipsec-attributes
pre-shared-key *
tunnel-group neVPN type remote-access
tunnel-group neVPN general-attributes
address-pool VPN_Client_In
authentication-server-group ATTIS
default-group-policy neVPN
tunnel-group neVPN ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.x4.2 type ipsec-l2l
tunnel-group xx.xx.x4.2 ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.x0.210 type ipsec-l2l
tunnel-group xx.xx.x0.210 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context





Can you see anything I'm missing?

 

[unclerico]

run some ospf debugs and see post back what it says. i have a feeling it may be that your global ip is different than your outside interface ip. maybe try changing the ospf neighbor on each asa to match what you have in your global (outside) statement

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

OK. Got this to work. I removed the neighbor and then re-added it back and OSPF started working.

Once that occurred had an issue. Site A also accepts connections from Site C and D, 2 other branches primary is Point-to-Point and secondary would failover to VPN.

Currently, ALL sites connect to Site B via VPN. When I introduced the new OSPF settings, Site C and D could not see Site B. If Sites B, C, or D are connected to Site A using the Point-To-Point, they communicated via the Point-to-Point. If anyone of the Sites is NOT using the Point-to-Point, they communicate via VPN. If I implement OSPF over VPN on the other 2 Sites (C & D) should everything work correctly if any one Site loses 1 of their network connections?

I want to continue to have Sites C & D use their Point-to-Point as their primary and only failover to secondary if primary fails. How would I setup OSPF costs to accomplish this?

 

[unclerico]

i want to make 100% sure i understand what you are talking about. can you upload a network topology that shows your current state as well as your future (ideal) state?? adding in sites C and D will essentially eliminate the use of OSPF over the VPN tunnel (it's a shortcoming in how the ASA's run OSPF across VPN's).

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

PDF of overall network here:

http://www.docshare.com/doc/202978/NetworkConfig

I essentially am trying to make sure ALL sites stay connected at ALL times no matter which link is severed as long as multiple links are not at the same time.

 

[unclerico]

so as it is right now, if a host in Site C or D wanted to communicate with a host in Site B they would use the PtP connection to Site A and then would hop on the VPN tunnel from Site A to Site B (Site C -> Site A -> Site B)?? i just want to clarify.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

no. If Site B is connected to Site A via VPN, ALL sites will communicate with Site B via VPN. I think this is because Site B is only sending data via VPN and isn't even using the PtP.

 

[unclerico]

this will be pretty easy to do. you will run OSPF across all of the PtP circuits so that if the Internet connection on site C or D goes down it will be able to use site A as a transit to reach site B and vice versa. you must configure your firewalls to permit ICMP Echo traffic from the other sites (Site B needs to permit ICMP Echos from Site A, C, and D. Site D needs to permit ICMP Echos from Site B, etc). Since static routes will be preferred over the OSPF routes (assuming that the prefix length is the same) the routing tables will look like this:

Site A
OSPF route to Site C and D over the PtP links
Tracked static route over the VPN to Site B

Site B
Tracked static route over the VPN to all other sites

Site C
OSPF route to Site A over the PtP link
OSPF route to Site D over the PtP link
Tracked static route over the VPN to Site B

Site D
OSPF route to Site A over the PtP link
OSPF route to Site C over the PtP link
Tracked static route over the VPN to Site B

if the connection to the Internet at Site B goes down then the static routes at Site A, C, and D will be removed from the routing table and OSPF will do its thing to route everything through Site A to reach Site B. Site B will then use Site A to reach Site C and Site D. When the connection to the Internet comes back on line at Site B then the static routes will be installed in the other sites routing tables and the OSPF routes will be removed

the only thing this doesn't do is permit Site C and Site D to communicate over the VPN to each other; they will use Site A as a transit.

you may even want to alter this in such a way that your default routes are tracked and will reroute your web traffic over your private circuits (if you have enough capacity that is)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using the following as an addressing scheme:
Site A subnets: 192.168.1.0/24 (LAN), 172.16.12.0/30 (PtP - B), 172.16.13.0/30 (PtP - C), 172.16.14.0/30 (PtP - D)
Site B subnets: 192.168.2.0/24 (LAN), 172.16.12.0/30 (PtP - A)
Site C subnets: 192.168.3.0/24 (LAN), 172.16.13.0/30 (PtP - A)
Site D subnets: 192.168.4.0/24 (LAN), 172.16.14.0/30 (PtP - A)


Site A core switch:

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <ASA_inside_ip>
ip route 192.168.2.0 255.255.255.0 <ASA_inside_Ip> track 1

router ospf 1
  network 192.168.1.0 0.0.0.255 area 0
  network 172.16.12.0 0.0.0.3 area 0
  network 172.16.13.0 0.0.0.3 area 0
  network 172.16.14.0 0.0.0.3 area 0

SiteB core switch:

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_siteA_ASA>
  frequency 5
  timeout 5000
ip sla monitor 2
  type echo protocol ipicmpecho <outside_ip_siteC_ASA>
  frequency 5
  timeout 5000
ip sla monitor 3
  type echo protocol ipicmpecho <outside_ip_siteD_ASA>
  frequency 5
  timeout 5000

ip sla monitor schedule 1 life forever start-time now
ip sla monitor schedule 2 life forever start-time now
ip sla monitor schedule 3 life forever start-time now

track 1 rtr 1 reachability
track 2 rtr 2 reachability
track 3 rtr 3 reachability

ip route 0.0.0.0 0.0.0.0 <asa_inside_ip>
ip route 192.168.1.0 255.255.255.0 <asa_inside_ip> track 1
ip route 192.168.3.0 255.255.255.0 <asa_inside_ip> track 2
ip route 192.168.4.0 255.255.255.0 <asa_inside_ip> track 3

router ospf 1
  network 192.168.2.0 0.0.0.255 area 0
  network 172.16.12.0 0.0.0.3 area 0

SiteC core switch:

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <asa_inside_ip>
ip route 192.168.2.0 255.255.255.0 <asa_inside_ip> track 1

router ospf 1
  network 192.168.3.0 0.0.0.255 area 0
  network 172.16.13.0 0.0.0.3 area 0

SiteD core switch:

ip sla monitor 1
  type echo protocol ipicmpecho <outside_ip_site_b_asa>
  frequency 5
  timeout 5000
ip sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
ip route 192.168.2.0 255.255.255.0 <ASA_inside_Ip> track 1

router ospf 1
  network 192.168.4.0 0.0.0.255 area 0
  network 172.16.14.0 0.0.0.3 area 0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[nelifecare]

Thanks for getting this to me!

Should I remove the OSPF over VPN? Is it still needed?

 

[unclerico]

Should I remove the OSPF over VPN?

yes. good luck and post back with any problems.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)