02-07-2013 07:14 AM
Hi, wonder if anyone can comment on the following, a customer is trying to configure site to site VPN configuration with a 3rd party supplier. 3rd party supplier is providing 2 VPN gateways (live and DR/backup) into same network, but the gateways are different public IPs. Customer has single ASA.
How would this be configured from the ASA to essentially make the same destination network available over 2 seperate tunnels (1 to each seperate endpoint), would you do something like :
1) Configure the tunnels to carry the same traffic, but preference one over the other (or keep second tunnel down until it's required) - is this possible?
2) Use NATing to assign different ranges to each tunnel at the ASA end, then in event of failover change the IP addresses at the application level to reference the range on Tunnel B (rather than Tunnel A) - which would in fact be NAT'd back to same destination
eg.
3.3.3.1 -> Tunnel A -> NAT to 192.168.1.1
4.4.4.1 -> Tunnel B -> NAT to 192.168.1.1
3) Configure 1 tunnel on ASA with target of Gateway A and reconfigure same tunnel to alternative gateway if need arises.
I know 3) is possible, 2) would be poor (labour intensive, or possibly just manual DNS change I suppose). Was interested in whether option 1) or similar was possible? Waiting on response from 3rd party supplier as to intended configuration.
02-07-2013 07:27 AM
Just set multiple peer addresses on the crypto map for that sequence number.
crypto map outside_map 1 set peer x.x.x.x y.y.y.y
It will try to build the tunnel with x.x.x.x first, if it fails, it will try y.y.y.y.
11-16-2013 11:18 AM
Hello,
will this apply to the my scenario as well
I am also trying to simulate a similar kind of setup.
ASA1
Inside: 10.10.20.1/24
Outside1: 81.171.171.26/30
Outside2: 95.45.23.34/30
Intermediate Internet:
F0/0(connected to ASA1 Outside1): 81.171.171.25/30
F0/1(connected to ASA3 Outside): 92.45.23.33/30
F1/0(connected to ASA2 Outside): 91.45.23.33/30
F2/0(connected to ASA1 Outside2): 95.45.23.33/30
ASA2
Inside: 10.10.10.1/24
Outside: 91.45.23.34/30
ASA3
Inside: 10.10.10.1/24
Outside: 92.45.23.34/30
I want to setup to tunnels from ASA1 (one to ASA2 and 2nd to ASA3) with the same interesting traffic. This is sort of a failover. I set a default route of 0.0.0.0 0.0.0.0 81.171.171.25 on Outside1 interface in ASA1. I cannot create a 2nd default route for Outside2 interface in ASA1 again. The tunnel between ASA1 and ASA3 is not up. Can someone help here !!!
11-16-2013 11:21 AM
Will I need 2 physical interfaces at ASA1 or the same e0 interface will work for both the tunnel peers ?
11-18-2013 01:29 PM
Hello,
I actually tried the way you suggested and the tunnels are failing over. Its just that when the secondary tunnel is up, I am not able to ping the interesting traffic across. Any thoughts on this ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide