cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
610
Views
8
Helpful
7
Replies
Beginner

VPN failover two 5505 ASA's to 5510

Hi

I'm looking for assistance on automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.

I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.

My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.

Please see my configs and image of my network.

Any help would be great.

-------------------------------------------------------

Spoke site Cisco 3750 Layer 3 switch

-------------------------------------------------------

-------------------------------------------------------

interface Vlan1

ip address 172.18.3.1 255.255.255.0

!

ip default-gateway 172.18.3.248

! ip default-gateway 172.18.3.249

ip classless

ip route 0.0.0.0 0.0.0.0 172.18.3.248

ip route 128.1.0.0 255.255.0.0 172.18.3.249

! ip route 0.0.0.0 0.0.0.0 172.18.3.249

! ip route 128.1.0.0 255.255.0.0 172.18.3.248

----------------------------------------------------------------

Spoke VPN backup ASA 5505 LAN IP:172.18.3.248 WAN IP:12.1.1.1

----------------------------------------------------------------

----------------------------------------------------------------

access-list outside_1_cryptomap extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

! crypto map outside_map 1 set peer 8.3.3.3

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

tunnel-group 8.3.3.3 type ipsec-l2l

tunnel-group 8.3.3.3 ipsec-attributes

pre-shared-key cisco123

isakmp keepalive disable

Cisco Adaptive Security Appliance Software Version 8.2(5)

Licensed features for this platform:

Maximum Physical Interfaces  : 8

VLANs                        : 3, DMZ Restricted

Inside Hosts                 : Unlimited

Failover                     : Disabled

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

SSL VPN Peers                : 2

Total VPN Peers              : 10

Dual ISPs                    : Disabled

VLAN Trunk Ports             : 0

Shared License               : Disabled

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials        : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions      : 2

Total UC Proxy Sessions      : 2

Botnet Traffic Filter        : Disabled

This platform has a Base license.

--------------------------------------------------------------------------

Spoke VPN T1 ASA 5505 LAN IP:172.18.3.249 WAN IP:42.2.2.2

--------------------------------------------------------------------------

--------------------------------------------------------------------------

access-list outside_1_cryptomap extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 8.3.3.3

crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 8.3.3.3 type ipsec-l2l

tunnel-group 8.3.3.3 ipsec-attributes

pre-shared-key cisco123

isakmp keepalive disable

Cisco Adaptive Security Appliance Software Version 8.2(5)

Maximum Physical Interfaces    : 8

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : Unlimited

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 10

Dual ISPs                      : Disabled

VLAN Trunk Ports               : 0

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

Data Center ASA 5510 WAN IP:8.3.3.3

--------------------------------------------

--------------------------------------------

access-list inside_nat0_outbound_1 extended permit ip  128.1.0.0 255.255.0.0 172.18.3.0 255.255.255.0

access-list outside_41_cryptomap extended permit ip    128.1.0.0 255.255.0.0 172.18.3.0 255.255.255.0

crypto map outside_map 41 match address outside_41_cryptomap

crypto map outside_map 41 set pfs group1

crypto map outside_map 41 set peer 42.2.2.2

crypto map outside_map 41 set transform-set ESP-3DES-SHA

!crypto map outside_map 42 match address outside_41_cryptomap

!crypto map outside_map 42 set pfs group1

!crypto map outside_map 42 set peer 12.1.1.1

!crypto map outside_map 42 set transform-set ESP-3DES-SHA

tunnel-group 42.2.2.2 type ipsec-l2l

tunnel-group 42.2.2.2 ipsec-attributes

pre-shared-key cisco123

isakmp keepalive disable

tunnel-group 12.1.1.1 type ipsec-l2l

tunnel-group 12.1.1.1 ipsec-attributes

pre-shared-key cisco123

isakmp keepalive disable

Cisco Adaptive Security Appliance Software Version 8.2(5)

Licensed features for this platform:

Maximum Physical Interfaces  : Unlimited

Maximum VLANs                : 100

Inside Hosts                 : Unlimited

Failover                     : Active/Active

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

Security Contexts            : 2

GTP/GPRS                     : Disabled

SSL VPN Peers                : 2

Total VPN Peers              : 250

Shared License               : Disabled

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials        : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions      : 2

Total UC Proxy Sessions      : 2

Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

7 REPLIES 7
Beginner

Re: VPN failover two 5505 ASA's to 5510

Hello mseanmiller,

Couple Ideas off the top of my head.

On your 3750 I would look into possibly using some IPSLA's with tracked routes, so that your 3750 would automatically failover, which seems like one of your main issues.

Decent tutorial if you're not familar: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html

I assume from your config that both your 5505's have the tunnel group already pre-configured and no extra config is needed on them when you have an outage?

If that's the case then for your VPN redunandcy I would look into "set connection-type"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238363

To me, this documentation seems worded funny.

To configure a backup Lan-to-Lan connection, we recommend you configure one end of the connection as originate-only using the originate-only keyword, and the end with multiple backup peers as answer-only using the  answer only keyword. On the originate-only end, use the crypto map set peer command to order the priority of the peers. The originate-only security appliance attempts to negotiate with the firstpeer in the list. If that peer does not respond, the adaptive security appliance works its way down the list until either apeer responds or there are no more peers in the list.

First it suggests to configure the end with multiple peers with "answer-only", then  on down shows that the configured firewall that has "originate-only" goes through the peer list.

For your situation I would do something like this.

Spoke VPN backup ASA 5505 LAN IP:172.18.3.248 WAN IP:12.1.1.1

crypto map outside_map 1 set connection-type answer-only

Spoke VPN T1 ASA 5505 LAN IP:172.18.3.249 WAN IP:42.2.2.2

crypto map outside_map 1 set connection-type answer-only


Data Center ASA 5510 WAN IP:8.3.3.3

crypto map outside_map 41 set connection-type Originate-Only

crypto map outside_map 41 set peer 42.2.2.2 12.1.1.1

Be sure ISAKMP keepalives is on. This may be the correct command on the ASA (crypto isakmp keepalive 10 3)

Note: Making changes to the crypto map will take down the tunnel.

Highlighted
Beginner

VPN failover two 5505 ASA's to 5510

Thank you for the great advice Gabriel,

I got everything working except for the IP SLA on the 3750 switch running IOS 12.2(46)SE

12.2 supports EOT IP SLA but I'm not sure that will work for me.

It looks like I'll need to upgrade to 12.4(4)T or greater to get this to work.

Beginner

VPN failover two 5505 ASA's to 5510

What feature set are you running? IP Base, ip services, or advanced ip services?

I know IP Base doesn't support SLA's, but 12.2(46) ip services should (I checked the feature navigator).

Please rate if you've found my posts helpful.

Thanks,

Gabriel

Beginner

VPN failover two 5505 ASA's to 5510

Unfortunatly we are running IP Base.

c3750-ipbasek9-mz.122-46.SE.bin

Can you tell me if 12.4(4)T or greater with the feature set IP Base will work?

Or do I need IP Services on any of the 3750 IOS images to make IP SLA work?

Thanks for your help Gabriel.

Beginner

VPN failover two 5505 ASA's to 5510

Hello Mseanmiller,

I don't see any 12.4 releases for the 3750.

Can you post your "show version". I believe the 15.0 release have SLA capability for the "IP BASE" feature set, but if your switch is just a pure "3750" and not a 3750E, I don't believe 15.0 is available.

Beginner

VPN failover two 5505 ASA's to 5510

You are right.

The highest I can go is 12.2(55)SE7

Plus I loaded the IP Services relase.

LI-TEST-DSwc-3750-DSwc>sh ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:16 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

LI-TEST-DSwc-3750-DSwc uptime is 22 minutes
System returned to ROM by power-on
System restarted at 18:07:28 UTC Wed Feb 20 2013
System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750-24P (PowerPC405) processor (revision H0) with 131072K bytes of memory.
Processor board ID CAT0948R53H
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:16:47:62:9E:80
Motherboard assembly number     : 73-9672-07
Power supply part number        : 341-0029-04
Motherboard serial number       : CAT09480MUW
Power supply serial number      : DTH0948A39X
Model revision number           : H0
Motherboard revision number     : A0
Model number                    : WS-C3750-24PS-S
System serial number            : CAT0948R53H
Top Assembly Part Number        : 800-25860-03
Top Assembly Revision Number    : C0
Version ID                      : V04
CLEI Code Number                : CNMV1K0CRC
Hardware Board Revision Number  : 0x01


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 26    WS-C3750-24P       12.2(55)SE7           C3750-IPSERVICESK9-M

Beginner

VPN failover two 5505 ASA's to 5510

You should have everything you need with that feature set.

Let me know if you have any other questions.

Cheers,

Gabriel