Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6960
Views
0
Helpful
7
Replies

ASA backup site to site VPN configuration

gturner
Level 1
Level 1

‎02-03-2011 05:49 AM

We are attempting to implement a VPN configuration using an ASA 8.02 at a Central site which terminates remote site VPN connections from IOS routers (12.4), using static crypto maps.

We have a functional configuration, but looking to implement a backup site-site configuration on the ASA, using different service providers.

The observation is that as soon as i add the 'connection-type originate-only' to the crypto map on the ASA, the tunnel is fatally broken. As soon as statement is removed the tunnel comes is restored.

I will be happy to add host configurations in due course,  but just wanted to confirm that the 'connection-type originate-only' configuration on the Central ASA is supported with the Cisco IOS peer. Documentation seems to indicate there is some sort of proprietary exchange that is supported only between ASA peers.

If it is relevant the ASA is configured with AM-disable, and we are used PSK as the authentication.

Thanks,

Labels:
0 Helpful
7 Replies 7

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-03-2011 05:58 AM

Graham,

The recommendation is to configure one end of the connection as originate-only using the originate-only keyword, and the end with multiple backup peers as answer-only using the answer-only keyword. On the originate-only end, use the crypto map set peer command to order the priority of the peers.

This feature works only between the following platforms:

Two Cisco ASA 5500 series security appliances

A Cisco ASA 5500 series security appliance and a Cisco VPN 3000 concentrator

A  Cisco ASA 5500 series security appliance and a security appliance  running Cisco PIX security appliance software v7.0, or higher

Since this configuration is not supported to IOS, I believe you should be fine with connection-type bidirectional.

Having AM-disable I think affects only VPN clients (not site-to-site) and having PSK for authentication is perfectly acceptable.

Federico.

0 Helpful

gturner
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-03-2011 06:22 AM

Federico, thans for the post back.

My reference is the Cisco press  ASA reference , p484 from which  i quote;

'if you need to specifiy multiple peers in your crypto-map sequence for redundancy, then you need to set connection type to originate only'

Are you indicating though that the bidirectional ASA configuration will be functional if i need to use the multiple peers in the crypto map set peer ?

Bit more advanced qu, what is it that is missing in IOS that means what seems to me to be the preferable 'originate-only' configuration not to work ?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to gturner

‎02-03-2011 07:28 AM

Graham,

Yes, but if I'm not mistaken the need to use originate-only was a limitation prior 7.2 code.

Which version of ASA is the document referring to?

Federico.

0 Helpful

gturner
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-03-2011 08:32 AM

Federico, we are on 8.2 ASA so would you say we are good to go with the default 'birectional' ASA , multiple peer config, and IOS as the peer ?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to gturner

‎02-03-2011 07:30 AM

Hi Graham,

The following link will explain you the details of the command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238363

The L2L tunnel will have an initiator and a responder.

The command set connection type to originate only will make sure that the ASA is configured for originating the tunnel only i.e. initiator only.

If you make is as bidirectional then the ASA can act as an initiator or a responder.

Also to answer the 2nd question: it is a feature which is supported only with the PIX or the ASA or Concentrator as mentioned in the guide.

I cannot comment on the missing details of the IOS. i guess thats how it is  designed.

Hope that answers the question.

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

0 Helpful

gturner
Level 1
Level 1
In response to andamani

‎02-03-2011 08:18 AM

Anisha, thanks for further note back.

So to confirm that the 'originate-only' configuration is not mandatory for the ASA to support multiple peers in the crypto map ?

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to gturner

‎02-04-2011 08:37 AM

Hi,

It is not mandatory. here is the link which answers your question.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#addbackup

Yet it is a recommended by cisco:

In order to configure a backup LAN-to-LAN  connection, Cisco recommends       that you configure one end of the connection as originate-only with  the       originate-only keyword, and the end with       multiple backup peers as answer-only with the       answer-only keyword. On the originate-only end,       use the crypto map set peer command in order to       order the priority of the peers. The originate-only security appliance  attempts       to negotiate with the first peer in the list. If that peer does not  respond,       the security appliance works its way down the list until either a peer  responds       or there are no more peers in the list.

The above is taken from the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is resolved.

0 Helpful
Customers Also Viewed These Support Documents