03-08-2013 11:14 AM
I have an ASA connected to 2 ISPs.I am using object tracking for the default route so only 1 path is used at a time. I have a L2L VPN setup going out interface A. I would like to configure a 2nd VPN going out interface B with identical parameters.
Is this possible?
(ASA software 8.2)
crypto map PATH_A 1 match address outside_1_cryptomap
crypto map PATH_A 1 set peer 10.1.1.1
crypto map PATH_A 1 set transform-set ESP-AES-128-SHA
crypto map PATH_A 1 set security-association lifetime seconds 28800
crypto map PATH_A 1 set security-association lifetime kilobytes 4608000
crypto map PATH_A 1 set reverse-route
crypto map PATH_A interface OUTSIDE_A
crypto map PATH_B 100 match address outside_1_cryptomap
crypto map PATH_B 100 set peer 10.1.1.1
crypto map PATH_B 100 set transform-set ESP-AES-128-SHA
crypto map PATH_B 100 set security-association lifetime seconds 28800
crypto map PATH_B 100 set security-association lifetime kilobytes 4608000
crypto map PATH_B 100 set reverse-route
crypto map PATH_B interface OUTSIDE_B
!
!
crypto isakmp enable OUTSIDE_A
crypto isakmp enable OUTSIDE_B
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 10.1.1.1 type ipsec-l2l
tunnel-group 10.1.1.1 general-attributes
default-group-policy MY-VPN
tunnel-group 10.1.1.1 ipsec-attributes
pre-shared-key 123456
!
group-policy MY-VPN internal
group-policy MY-VPN attributes
vpn-tunnel-protocol IPSec
Solved! Go to Solution.
03-08-2013 04:05 PM
Hi Bill
This is possible, but you have to add the same crypto map to both of the inetrfaces
crypto map PATH_A interface OUTSIDE_A
crypto map PATH_A interface OUTSIDE_B
and it is not allowed to use the reverse route command.
You need to but also "timeout floating-conn 0:01:00"
I have used one internet connection for the site-to-site vpn and the other one for all other traffic (default route). All routes tracked with ip sla.
I have done that with 8.6
03-08-2013 04:05 PM
Hi Bill
This is possible, but you have to add the same crypto map to both of the inetrfaces
crypto map PATH_A interface OUTSIDE_A
crypto map PATH_A interface OUTSIDE_B
and it is not allowed to use the reverse route command.
You need to but also "timeout floating-conn 0:01:00"
I have used one internet connection for the site-to-site vpn and the other one for all other traffic (default route). All routes tracked with ip sla.
I have done that with 8.6
03-14-2013 06:07 AM
Thanks. This worked.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide