Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
4
Replies

1 ASA with tunnels to 2 gateways, same destination network - possible?

ajenks
Level 1
Level 1

‎02-07-2013 07:14 AM

Hi, wonder if anyone can comment on the following, a customer is trying to configure site to site VPN configuration with a 3rd party supplier. 3rd party supplier is providing 2 VPN gateways (live and DR/backup) into same network, but the gateways are different public IPs. Customer has single ASA.

How would this be configured from the ASA to essentially make the same destination network available over 2 seperate tunnels (1 to each seperate endpoint), would you do something like :

1) Configure the tunnels to carry the same traffic, but preference one over the other (or keep second tunnel down until it's required) - is this possible?

2) Use NATing to assign different ranges to each tunnel at the ASA end, then in event of failover change the IP addresses at the application level to reference the range on Tunnel B (rather than Tunnel A) - which would in fact be NAT'd back to same destination

eg.

3.3.3.1 -> Tunnel A -> NAT to 192.168.1.1

4.4.4.1 -> Tunnel B -> NAT to 192.168.1.1

3) Configure 1 tunnel on ASA with target of Gateway A and reconfigure same tunnel to alternative gateway if need arises.

I know 3) is possible, 2) would be poor (labour intensive, or possibly just manual DNS change I suppose). Was interested in whether option 1) or similar was possible? Waiting on response from 3rd party supplier as to intended configuration.

2 people had this problem
Labels:
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎02-07-2013 07:27 AM

Just set multiple peer addresses on the crypto map for that sequence number.

crypto map outside_map 1 set peer x.x.x.x y.y.y.y

It will try to build the tunnel with x.x.x.x first, if it fails, it will try y.y.y.y.

0 Helpful

Manas Dutta
Level 1
Level 1
In response to jj27

‎11-16-2013 11:18 AM

Hello,

will this apply to the my scenario as well

I am also trying to simulate a similar kind of setup.

ASA1

Inside: 10.10.20.1/24

Outside1: 81.171.171.26/30

Outside2: 95.45.23.34/30

Intermediate Internet:

F0/0(connected to ASA1 Outside1): 81.171.171.25/30

F0/1(connected to ASA3 Outside): 92.45.23.33/30

F1/0(connected to ASA2 Outside): 91.45.23.33/30

F2/0(connected to ASA1 Outside2): 95.45.23.33/30

ASA2

Inside: 10.10.10.1/24

Outside: 91.45.23.34/30

ASA3

Inside: 10.10.10.1/24

Outside: 92.45.23.34/30

I want to setup to tunnels from ASA1 (one to ASA2 and 2nd to ASA3) with the same interesting traffic. This is sort of a failover. I set a default route of 0.0.0.0 0.0.0.0 81.171.171.25 on Outside1 interface in ASA1. I cannot create a 2nd default route for Outside2 interface in ASA1 again. The tunnel between ASA1 and ASA3 is not up. Can someone help here !!!

0 Helpful

Manas Dutta
Level 1
Level 1
In response to Manas Dutta

‎11-16-2013 11:21 AM

Will I need 2 physical interfaces at ASA1 or the same e0 interface will work for both the tunnel peers ?

0 Helpful

Manas Dutta
Level 1
Level 1
In response to Manas Dutta

‎11-18-2013 01:29 PM

Hello,

I actually tried the way you suggested and the tunnels are failing over. Its just that when the secondary tunnel is up, I am not able to ping the interesting traffic across. Any thoughts on this ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents