I am trying to engineer a solution that will meet our needs. I've come into a network, and am having to figure it all out as I go. We currently have a site in Houston. This site serves the public as well as our branch offices.
Currently, we connect to remote offices using an IPSEC tunnel intiated and landing on Cisco ASA5510's. Each of the branch offices have their own independent internet connections whether it be a T3 with ATT or384k dsl with mom/pop telco.
Well the company has decided to go with an MPLS network for all locations. They will drop all of their independent uplinks, and do everything over the MPLS, with a split off of it for their internet access. The hub location (houston) will connect to both MPLS connection AND the normal internet connection. Each location, including houston, received a routeable address which is natted to an internal address at each location.
For redundancy, we want to make it so that if the MPLS link in houston fails, we can still create tunnels into/outof the branch offices utilizing the internet connection.
The way that I had envisioned this is to setup the tunnels on the ASA to land on the new ip address. This address is both internet routeable, and if it's a destination sent out to the MPLS router, it will ride the MPLS network to the other end. And then I could setup trackrouting on my router which looked to get to that address over the MPLS link, and if that failed, it would change the route to send the traffic over the internet link instead.
Unfortunately, this does not seem to be working. The other options I have are dropping doing ipsec over MPLS (which I'm not too terribly thrilled about, but that's a whole other debate) moving the MPLS router behind our firewall with another router in front of it, doing the same tracked route idea, and having the devices use this router as a default gateway.
Is there a better way of doing what I'd like to do? The ASA doesn't seem to deal well with multiple routes, and I'm curious about possibly creating a tunnel on the inside interface to encrypt over the MPLS, but if you have two tunnels routing for the same addresses I'm sure it wouldn't like that.. unless there's some way to determin if a tunnel should be up or down based on another tunnel.. or something being up (eg pingable ip).
any information would be appreciated.