ASA: Concurrently terminate site to site IPSec VPN on multiple i

csacontract · ‎03-22-2011

Hi.

One of our clients has the following scenario...

ASA 5510 FW v7.2 at head office

800 series routers at remote offices.

All remote sites of establish a Site to Site IPSec vpn to head office ASA.

They want to increase the speed over the VPN's so they have commisioned a new internet link at head office. They want to migrate all VPN's across to the new link.

Both Internet links are connected directly to the ASA, both links have a security level of 0. The ASA has one connection to the Inside. We use floating static routes to determine which link is used for routing outbound traffic to the internet.

e.g.

interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.10 255.255.0.0
!
interface Ethernet0/2
nameif outside-NEW

security-level 0
ip address 2.2.2.2 255.255.255.240
!

Is it possible to simply re-configure the ASA to allow IPSec, ISAKMP policies to terminate on the new interface 'outside-NEW', then one by one change the crypto maps peer statements on each router from 1.1.1.1 to 2.2.2.2? Can I add both, having 1.1.1.1 as backup and 2.2.2. as primary?

I am also planning also that in the interests of uptime, that during the cutover I will be terminating VPN's through 1.1.1.1 and 2.2.2.2 at the same time. Is this possible?

All isakmp, ipsec polices and pre-shared keys would stay the same, the only thing technically that would change is the terminating peer.

Attached is a quick and dirty visio diagram explaining the concept.

andamani · ‎03-22-2011

Hi,

you can enable the outside-NEW to listen to isakmp on ASA. also you need to attach the crypto map to outside-NEW as well on ASA.

On the router you can define multiple peers.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1002246

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Brett Hanson · ‎05-13-2013

How'd you go with this?

Were you able to run VPN's on the 2 outside interfaces in the end?

If so - what did you do? Were you able to attach the crypto map to multiple interfaces?

Jouni Forss · ‎05-13-2013

Hi,

To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.

Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.

If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)

Hope this helps

- Jouni

Brett Hanson · ‎05-13-2013

Hi Jouni,

Thanks for that.

Yeah - for my purposes a second link would be purely for a L2L VPN so would be easy for the routing side of things.

I'll have to do some research and determine if we have support staff connecting to the customer RA VPN on the same IP or not.

Anyway, cheers for the heads up.

Cheers,

Brett

ASA: Concurrently terminate site to site IPSec VPN on multiple interfaces