cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2120
Views
0
Helpful
5
Replies

Backup vpn tunnels

netsec123
Level 1
Level 1

Hi. We are using an ASA [failover pair] and tracking an interface so that we have Internet failover out a 2nd interface to another ISP. When the failover happens, we'd like the vpn tunnels to renegotiate using the backup internet interface to the 2nd ISP. IS this possible? THANKS!

5 Replies 5

smalkeric
Level 6
Level 6

I think you will have to do a NAT at some internet router in front of ASA when the traffic switched from primary to secondary (or when the primary fails), and remote ASA will have to point to two peer internet router. If one of the internet link fails, the traffic will be put on to the other internet link using HSRP. For the remote gateway to accept the traffic from the secondary gateway, the same crypto map on the remote gateway should point to both gateways. You will have to configure more than one peer on crypto map. Also the traffic has to be originated from remote side because on 7.x code having more than one peer on the crypto map, the tunnel would need to be initiated just from that specific peer.

What kind of Internet connections you have or will have?

Check this link:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

THANK YOU SO MUCH.

I think I got this licked on Wed.

Rough stuff.

Thanks!!!!

Hi Netsec,

Were you able to get this configured as desired? I ma in the proccess of trying to do a simlar thing. I have a VPN over ISP 1 on Firewall 1 to ISP 1 on Firewall 2, each at different site, I need the VPN to failover along with the Internet Link.

Thanks in advance...

I'm sorry... we never got this to work effectively....

Review Cisco Networking for a $25 gift card