It’s getting more common to use dual ISPs since most companys now a days are dependant on a functioning network and Internet connection. In this scenario we will be using a leased line as a primary connection, this connection won’t be encrypted since it is a private point to point connection. The second connection is a VPN tunnel over the Internet, this is what our network looks like:
We will be using a function called sla monitor to achieve our goal. Lets start with the interface config:
interface Ethernet0/0
nameif OUTSIDE-LEASED
security-level 50
ip address 10.255.0.1 255.255.255.252
!
interface Ethernet0/1
nameif OUTSIDE-INTERNET
security-level 0
ip address 10.255.0.5 255.255.255.252
!
interface Ethernet0/2
nameif INSIDE
security-level 100
ip address 172.16.0.1 255.255.255.0
We have three interfaces with a security level of 100 for inside, 50 for the leased line and 0 for the Internet connection. We need access-lists to allow the traffic in on our OUTSIDE interfaces:
access-list OUTSIDE_IN extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list VPN_TRAFFIC extended permit ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.255.0
The access-list VPN_TRAFFIC is for defining “interesting” traffic to trigger the VPN tunnel. Apply the access-lists to the relevant interfaces:
access-group OUTSIDE_IN in interface OUTSIDE-LEASED
access-group OUTSIDE_IN in interface OUTSIDE-INTERNET
We need routing for the inside network at the other end:
route OUTSIDE-LEASED 192.168.0.0 255.255.255.0 10.255.0.2 1 track 1
route OUTSIDE-INTERNET 192.168.0.0 255.255.255.0 10.255.0.6 254
The track 1 statement refers to that we are tracking the static route in case it goes down and the other route is called a floating static route with an administrative distance of 254. This is the config that relates to the tracking:
sla monitor 1
type echo protocol ipIcmpEcho 10.255.0.2 interface OUTSIDE-LEASED
num-packets 5
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
We are sending 5 ICMP packets with 5 seconds a part to the other end of the leased line. We only need to receive one successful answer to stay on the primary line. If you want to do it differently you could set it to 1 or whatever value suits your topology. This is the configuration that relates to the VPN tunnel, if you don’t need VPN just remove it:
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-MAP 1 match address VPN_TRAFFIC
crypto map VPN-MAP 1 set peer 10.255.0.6
crypto map VPN-MAP 1 set transform-set 3DES-SHA
crypto map VPN-MAP interface OUTSIDE-INTERNET
crypto isakmp enable OUTSIDE-INTERNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.255.0.6 type ipsec-l2l
tunnel-group 10.255.0.6 ipsec-attributes
pre-shared-key secret