Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5612
Views
0
Helpful
2
Replies

ASA LAN-to-LAN VPN out Multiple Interfaces

Go to solution
Bill CARTER
Level 5
Level 5

‎03-08-2013 11:14 AM

I have an ASA connected to 2 ISPs.I am using object tracking for the default route so only 1 path is used at a time. I have a L2L VPN setup going out interface A. I would like to configure a 2nd VPN going out interface B with identical parameters.

Is this possible?

(ASA software 8.2)

crypto map PATH_A 1 match address outside_1_cryptomap

crypto map PATH_A 1 set peer 10.1.1.1

crypto map PATH_A 1 set transform-set ESP-AES-128-SHA

crypto map PATH_A 1 set security-association lifetime seconds 28800

crypto map PATH_A 1 set security-association lifetime kilobytes 4608000

crypto map PATH_A 1 set reverse-route

crypto map PATH_A interface OUTSIDE_A

crypto map PATH_B 100 match address outside_1_cryptomap

crypto map PATH_B 100 set peer 10.1.1.1

crypto map PATH_B 100 set transform-set ESP-AES-128-SHA

crypto map PATH_B 100 set security-association lifetime seconds 28800

crypto map PATH_B 100 set security-association lifetime kilobytes 4608000

crypto map PATH_B 100 set reverse-route

crypto map PATH_B interface OUTSIDE_B

!

!

crypto isakmp enable OUTSIDE_A

crypto isakmp enable OUTSIDE_B

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 general-attributes

default-group-policy MY-VPN

tunnel-group 10.1.1.1 ipsec-attributes

pre-shared-key 123456

!

group-policy MY-VPN internal

group-policy MY-VPN attributes

vpn-tunnel-protocol IPSec

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pf
Level 1
Level 1

‎03-08-2013 04:05 PM

Hi Bill

This is possible, but you have to add the same crypto map to both of the inetrfaces

crypto map PATH_A interface OUTSIDE_A

crypto map PATH_A interface OUTSIDE_B

and it is not allowed to use the reverse route command.

You need to but also "timeout floating-conn 0:01:00"

I have used one internet connection for the site-to-site vpn and the other one for all other traffic (default route). All routes tracked with ip sla.

I have done that with 8.6

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pf
Level 1
Level 1

‎03-08-2013 04:05 PM

Hi Bill

This is possible, but you have to add the same crypto map to both of the inetrfaces

crypto map PATH_A interface OUTSIDE_A

crypto map PATH_A interface OUTSIDE_B

and it is not allowed to use the reverse route command.

You need to but also "timeout floating-conn 0:01:00"

I have used one internet connection for the site-to-site vpn and the other one for all other traffic (default route). All routes tracked with ip sla.

I have done that with 8.6

0 Helpful

Go to solution
Bill CARTER
Level 5
Level 5
In response to pf

‎03-14-2013 06:07 AM

Thanks. This worked.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents