I am using the Cisco ASA 5520 with Software Version 8.2(3). I have several site-to-site VPN connections and two separate ISP connections. I have set up the SLA tracker for the dual ISP so that if one fails the other one takes over. But I don't know how to do the same for the site-to-site IPSec VPN tunnels. I have read a few discussions on the Cisco Support Community but I am really confused about what to do. I have two outside interfaces: outside and WAN2. I understand you can only apply the crypto to one interface so how would I make the change to allow the VPN to failover when the primary ISP were to fail?
Here is my configuration for the cryptos and SLA tracker:
crypto map outside_map 10 match address ACL_VPN_1
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer x.x.x.x x x.x.x.x
crypto map outside_map 10 set transform-set NAME_SET
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address ACL_VPN_2
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x x
crypto map outside_map 20 set transform-set NAME_SET2
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.100 1 track 1
route WAN2 0.0.0.0 0.0.0.0 126.96.36.199 254
track 1 rtr 123 reachability
sla monitor 123
type echo protocol ipIcmpEcho 188.8.131.52 interface outside
sla monitor schedule 123 life forever start-time now
I configured a lab for this sometime ago and to my understanding the main things you have to take care of are
Here is the link to 8.2 software command that attaches the Crypto Map to the interface
In the above situation you have all the configuration under the single Crypto Map with different sequence numbers. Therefore you should be able to attach this Crypto Map to any interface you want and to multiple interfaces if you want.
I think the actual limitation was that you can only attach one Crypto Map to a single interface.
I might be able to look at my lab configuration later today and post it for you to compare.
That was valuable information. I just want to know how to attach the crypto map to more than one interface. Everything else I have figured out without any problems.
If you could look into that for me I would really appreciate it!!
Here is configurations from my Lab ASA5520 with Dual ISP
description Primary ISP
ip address 192.168.101.2 255.255.255.0
description Secondary ISP
ip address 192.168.102.2 255.255.255.0
ip address 10.0.20.2 255.255.255.0
route WAN-1 0.0.0.0 0.0.0.0 192.168.101.1 1 track 200
route WAN-2 0.0.0.0 0.0.0.0 192.168.102.1 254
route LAN 10.0.0.0 255.255.255.0 10.0.20.1 1
access-list L2L-VPN-CRYPTOMAP remark Encryption Domain
access-list L2L-VPN-CRYPTOMAP extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list LAN-NAT0 extended permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (LAN) 0 access-list LAN-NAT0
sla monitor 200
type echo protocol ipIcmpEcho 192.168.101.1 interface WAN-1
sla monitor schedule 200 life forever start-time now
track 200 rtr 200 reachability
crypto ipsec transform-set AES-256 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CRYPTOMAP 10 match address L2L-VPN-CRYPTOMAP
crypto map CRYPTOMAP 10 set peer 192.168.103.2
crypto map CRYPTOMAP 10 set transform-set AES-256
crypto map CRYPTOMAP interface WAN-1
crypto map CRYPTOMAP interface WAN-2
crypto isakmp enable WAN-1
crypto isakmp enable WAN-2
crypto isakmp policy 10
tunnel-group 192.168.103.2 type ipsec-l2l
tunnel-group 192.168.103.2 ipsec-attributes
Hope this helps
If you can attach the same crypto map to multiple interfaces, can you create multiple crypto maps and attach them to individual interfaces? For example a crypto map for each interface (crypto map WAN1 & crypto map WAN2).
Also what would be the pros and cons of doing it this way? Does a new crypto map eat up more resources? Or is it generally always better to have just one crypto map?