09-18-2013 10:01 AM
Hello,
Question:
I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
- Inside
- DMZ
- Outside - ISP1 - IP 1.1.1.1
- Outside2 - ISP2 - IP 2.2.2.2
I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
Tks.
Rafael
Solved! Go to Solution.
09-18-2013 10:36 AM
Hi Rafael,
You have to configure sla monitoring on ASA.
Follow below link:-
For VPN part, check below link:-
HTH!
Regards,
Naresh
09-18-2013 10:40 AM
Yes Rafael, it possible.
you need to configure SLA monitoring on ASA for the ISP failover.
And for the VPN add the second ISP ip as a back up peer on the remote device.
on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
In case if you need any assistance regarding the configuration let me know.
Configuration should look something like this:
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet1
nameif backup
security-level 0
ip address 10.250.250.2 255.255.255.248
access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto map outside_map 20 match address outside_crypto_1
crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto isakmp enable backup
crypto isakmp enable outside
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key cisco123
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Important Information:
===============================================
** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
** I hope this will answer your query.
Thanks
Jeet
09-18-2013 10:36 AM
Hi Rafael,
You have to configure sla monitoring on ASA.
Follow below link:-
For VPN part, check below link:-
HTH!
Regards,
Naresh
09-18-2013 10:40 AM
Yes Rafael, it possible.
you need to configure SLA monitoring on ASA for the ISP failover.
And for the VPN add the second ISP ip as a back up peer on the remote device.
on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
In case if you need any assistance regarding the configuration let me know.
Configuration should look something like this:
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet1
nameif backup
security-level 0
ip address 10.250.250.2 255.255.255.248
access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto map outside_map 20 match address outside_crypto_1
crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto isakmp enable backup
crypto isakmp enable outside
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key cisco123
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
Important Information:
===============================================
** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
** I hope this will answer your query.
Thanks
Jeet
09-18-2013 10:42 AM
Ok!
Tks!
09-24-2013 03:52 AM
But does the VPN works on the same time on two different ISP IPs?
let say, one remote user is connected via ISP01
And another remote user via ISP02?
Regards!
10-09-2023 02:46 PM
I configured an sla ip, but keep in mind that when I send pings to the public interfaces, only the one on the active route answers. How do I get the two external interfaces to answer a ping?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide