02-18-2013 04:34 PM
Hi
I'm looking for assistance on automating a couple failover scenarios. Both VPN redundancy and black hole internet traffic redundancy.
I currently use the more reliable T1 connection for the VPN connection and the DSL for internet traffic.
My current configuration is working but requires a manual update to get the VPN or black hole back up and operational when either link fails.
Please see my configs and image of my network.
Any help would be great.
-------------------------------------------------------
Spoke site Cisco 3750 Layer 3 switch
-------------------------------------------------------
-------------------------------------------------------
interface Vlan1
ip address 172.18.3.1 255.255.255.0
!
ip default-gateway 172.18.3.248
! ip default-gateway 172.18.3.249
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.3.248
ip route 128.1.0.0 255.255.0.0 172.18.3.249
! ip route 0.0.0.0 0.0.0.0 172.18.3.249
! ip route 128.1.0.0 255.255.0.0 172.18.3.248
----------------------------------------------------------------
Spoke VPN backup ASA 5505 LAN IP:172.18.3.248 WAN IP:12.1.1.1
----------------------------------------------------------------
----------------------------------------------------------------
access-list outside_1_cryptomap extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
! crypto map outside_map 1 set peer 8.3.3.3
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
tunnel-group 8.3.3.3 type ipsec-l2l
tunnel-group 8.3.3.3 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive disable
Cisco Adaptive Security Appliance Software Version 8.2(5)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
--------------------------------------------------------------------------
Spoke VPN T1 ASA 5505 LAN IP:172.18.3.249 WAN IP:42.2.2.2
--------------------------------------------------------------------------
--------------------------------------------------------------------------
access-list outside_1_cryptomap extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 128.1.0.0 255.255.0.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 8.3.3.3
crypto map outside_map 1 set transform-set ESP-3DES-SHA
tunnel-group 8.3.3.3 type ipsec-l2l
tunnel-group 8.3.3.3 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive disable
Cisco Adaptive Security Appliance Software Version 8.2(5)
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Data Center ASA 5510 WAN IP:8.3.3.3
--------------------------------------------
--------------------------------------------
access-list inside_nat0_outbound_1 extended permit ip 128.1.0.0 255.255.0.0 172.18.3.0 255.255.255.0
access-list outside_41_cryptomap extended permit ip 128.1.0.0 255.255.0.0 172.18.3.0 255.255.255.0
crypto map outside_map 41 match address outside_41_cryptomap
crypto map outside_map 41 set pfs group1
crypto map outside_map 41 set peer 42.2.2.2
crypto map outside_map 41 set transform-set ESP-3DES-SHA
!crypto map outside_map 42 match address outside_41_cryptomap
!crypto map outside_map 42 set pfs group1
!crypto map outside_map 42 set peer 12.1.1.1
!crypto map outside_map 42 set transform-set ESP-3DES-SHA
tunnel-group 42.2.2.2 type ipsec-l2l
tunnel-group 42.2.2.2 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive disable
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive disable
Cisco Adaptive Security Appliance Software Version 8.2(5)
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
02-18-2013 07:33 PM
Hello mseanmiller,
Couple Ideas off the top of my head.
On your 3750 I would look into possibly using some IPSLA's with tracked routes, so that your 3750 would automatically failover, which seems like one of your main issues.
Decent tutorial if you're not familar: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
I assume from your config that both your 5505's have the tunnel group already pre-configured and no extra config is needed on them when you have an outage?
If that's the case then for your VPN redunandcy I would look into "set connection-type"
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238363
To me, this documentation seems worded funny.
To configure a backup Lan-to-Lan connection, we recommend you configure one end of the connection as originate-only using the originate-only keyword, and the end with multiple backup peers as answer-only using the answer only keyword. On the originate-only end, use the crypto map set peer command to order the priority of the peers. The originate-only security appliance attempts to negotiate with the firstpeer in the list. If that peer does not respond, the adaptive security appliance works its way down the list until either apeer responds or there are no more peers in the list.
First it suggests to configure the end with multiple peers with "answer-only", then on down shows that the configured firewall that has "originate-only" goes through the peer list.
For your situation I would do something like this.
Spoke VPN backup ASA 5505 LAN IP:172.18.3.248 WAN IP:12.1.1.1
crypto map outside_map 1 set connection-type answer-only
Spoke VPN T1 ASA 5505 LAN IP:172.18.3.249 WAN IP:42.2.2.2
crypto map outside_map 1 set connection-type answer-only
Data Center ASA 5510 WAN IP:8.3.3.3
crypto map outside_map 41 set connection-type Originate-Only
crypto map outside_map 41 set peer 42.2.2.2 12.1.1.1
Be sure ISAKMP keepalives is on. This may be the correct command on the ASA (crypto isakmp keepalive 10 3)
Note: Making changes to the crypto map will take down the tunnel.
02-19-2013 08:42 PM
Thank you for the great advice Gabriel,
I got everything working except for the IP SLA on the 3750 switch running IOS 12.2(46)SE
12.2 supports EOT IP SLA but I'm not sure that will work for me.
It looks like I'll need to upgrade to 12.4(4)T or greater to get this to work.
02-20-2013 05:15 AM
What feature set are you running? IP Base, ip services, or advanced ip services?
I know IP Base doesn't support SLA's, but 12.2(46) ip services should (I checked the feature navigator).
Please rate if you've found my posts helpful.
Thanks,
Gabriel
02-20-2013 08:21 AM
Unfortunatly we are running IP Base.
c3750-ipbasek9-mz.122-46.SE.bin
Can you tell me if 12.4(4)T or greater with the feature set IP Base will work?
Or do I need IP Services on any of the 3750 IOS images to make IP SLA work?
Thanks for your help Gabriel.
02-20-2013 10:12 AM
Hello Mseanmiller,
I don't see any 12.4 releases for the 3750.
Can you post your "show version". I believe the 15.0 release have SLA capability for the "IP BASE" feature set, but if your switch is just a pure "3750" and not a 3750E, I don't believe 15.0 is available.
02-20-2013 10:35 AM
You are right.
The highest I can go is 12.2(55)SE7
Plus I loaded the IP Services relase.
LI-TEST-DSwc-3750-DSwc>sh ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:16 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
LI-TEST-DSwc-3750-DSwc uptime is 22 minutes
System returned to ROM by power-on
System restarted at 18:07:28 UTC Wed Feb 20 2013
System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE7.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco WS-C3750-24P (PowerPC405) processor (revision H0) with 131072K bytes of memory.
Processor board ID CAT0948R53H
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:16:47:62:9E:80
Motherboard assembly number : 73-9672-07
Power supply part number : 341-0029-04
Motherboard serial number : CAT09480MUW
Power supply serial number : DTH0948A39X
Model revision number : H0
Motherboard revision number : A0
Model number : WS-C3750-24PS-S
System serial number : CAT0948R53H
Top Assembly Part Number : 800-25860-03
Top Assembly Revision Number : C0
Version ID : V04
CLEI Code Number : CNMV1K0CRC
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3750-24P 12.2(55)SE7 C3750-IPSERVICESK9-M
02-20-2013 10:38 AM
You should have everything you need with that feature set.
Let me know if you have any other questions.
Cheers,
Gabriel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide