cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1198
Views
20
Helpful
12
Replies

ASA5505 configure VPN Primary and Backup

rechard_hk
Level 1
Level 1

Dear Expert,

I would like to ask you some question that now i'm not clear about VPN do Primary and backup connection, How can we do on this is sue? ( i mean that when the primary down, then connection backup is up automatically)

Could you advice me how can i do it?

Best Regards,

Rechard_hk

2 Accepted Solutions

Accepted Solutions

I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.

I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.

Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.

Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.

Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.

Example of active/standby

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

ASA comparison - Look into Ipsec plus license and features.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Rgds

Jorge

Jorge Rodriguez

View solution in original post

i liked JORGE sugesstions

but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way

that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic

whil in my oinoin if u follow the i have given to

u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN

in other words it like two in one

u have two active firewall on that site

aslo u have abckup vpn device for VPN tunnels

again JORGE sugestion great and professional

good luck

and Please, if helpful Rate

View solution in original post

12 Replies 12

Marwan ALshawi
VIP Alumni
VIP Alumni

is it site to site VPN

and do both have the same LAN behind them ?

and mean to network behind them the same IPs or deffrent

if they have the same private network behind them

what i suggest you to do is to creat another tunnel group for the backup vpn

and in the

crypto map FWMAP 10 match address 101

crypto map FWMAP 10 set peer 192.168.6.2

here the ip address represent ur primary VPN

crypto map FWMAP 20 match address 101

crypto map FWMAP 20 set peer 192.168.6.5

here the ip address represent the backup vpn peer

notice that the map name the same but the sequence number is higher

so the ASA will try thirt map with number 10

if not successful will go to number 20

aslo in the above config i asume that both remote peer the primary and backup have the same LAN whtch match with ACL 101 in the above config

dont forget to make a separte L2L tunnel gorup for the back up vpn peer and tunnel-group ipsec then put the shared ky for the backup peer

brifly it is like u defining two vpn site to site

but u gonna make their map the same map with deffrent sequence number

good luck

Please, ifhelpful Rate

Dear marwanshawi,

Thanks you for you advice :)

ok, i understood that command that you gave me, could i ask you again !!!

1-During dual ISP up so all the traffic through out both with dual ISP or not?

if the traffic through out how can we know which client go to ISP1 and other client go to ISP2?

Best regards,

Rechard_hk

the above config regarding primary and backup ASA vpn

about ISP use it is now related to how to route ur traffic are you load balncing or loadsharing the traffic or use it in active and back up manner

u can also control ur users to prefer on link over other throuh the default route

lets say ISP u go to it through ip 1.1.1.1 and ISP 2 through 2.2.2.2

route outside 0 0 1.1.1.1

route outside 0 0 2.2.2.2 5

so all the traffic will go through ISP one

once the ISP1 down the traffic will flow trough ISP2

please, Rate if helpful

JORGE RODRIGUEZ
Level 10
Level 10

You could acomplish this through Active/Standby configuration and enable stateful configuration for this to work. Unfortunately the ASA5505 does not support stateful, you still can have Active/Standby with dual ISP as a backup link but if primary ASA5505 fails standby takes over but will not carry stateful traffic, that is VPN traffic, VPN tunnels will require reconentions.

HTH

Jorge

Jorge Rodriguez

Dear Jorgemcse,

Thanks you for your advice :)

could you let me know about Active/Standby on ASA i'm not clear, so Active/Standby can do only one box or have to two have box?

possible or not when i have only one box for do Active/Standby?

one more i have problem on ASA 5505,

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

on interface vlan1 and vlan2 i can create but when i create one more interface vlan3 it not allow, what is going on? and how can i do it ?

I mean i want create Wan,Lan and DMZ..

Best regards,

Rechard_hk

I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.

I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.

Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.

Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.

Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.

Example of active/standby

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

ASA comparison - Look into Ipsec plus license and features.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Rgds

Jorge

Jorge Rodriguez

i liked JORGE sugesstions

but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way

that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic

whil in my oinoin if u follow the i have given to

u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN

in other words it like two in one

u have two active firewall on that site

aslo u have abckup vpn device for VPN tunnels

again JORGE sugestion great and professional

good luck

and Please, if helpful Rate

Dear Jorge,

Thanks you for your advice.

Best Regards,

Rechard_hk

Dear Jorge,

Sorry for disturb you again.....

So i'm not clear one line when we sho ver.

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

on comand (VLANs : 3, DMZ Restricted) it show tell Vlans :3 but i can create two VLAN what is wrong?

Best Regards,

Recahrd_hk

Recahrd_hk,

You should have already Vlan1 posibly as your inside interface, Vlan2 as outside interface. You should be able to create 3rd VLAN.

e.i

say you need to create vlan100 with sec level 50

for 10.10.10.0/24 network

interface Vlan100

no forward interface Vlan1

nameif test

security-level 50

ip address 10.10.10.1 255.255.255.0

then allocate a port on ASA builtin switch

interface Ethernet0/4

switchport access vlan 100

no shutdown

nat (test) 1 0.0.0.0 0.0.0.0

Rgds

Jorge

Jorge Rodriguez

Dear Jorgemcse,

i still got the problem when i type this command it will show as bellow:

Branch(config)# int vl

Branch(config)# int vlan 100

Branch(config-if)# ip add 50.50.50.50 255.255.255.0

Branch(config-if)# no shut

Branch(config-if)# nameif star

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

could you let me now how can i do?

Best Regards,

rechard_hk

Rechard,

I believe you may be bound to the Base license , I have in my lab a ASA5505 with Sec Plus license so I could not test your scenario properly. Reading a bit further on License specs for the ASA5505 to understand what it means VLANs : 3, DMZ Restricted it seems that the 3rd VLAN may be a DMZ based on Table-3-1 in bellow link but I could be wrong , try using nameif DMZ if it does not work I would suggest to upgrade license to security plus , the part number is ASA5505-SEC-PL. With Sec plus all ASA5505 features will be unlocked, I find this base license or 50 user license etc.. none-sense but thats the way it is.

Table 3-1 License Restrictions on Active VLANs

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html#wp1101628

ASA Licenses

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html

ASA 5505 Complete specs

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Let me know how it works out.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: