One of our clients has the following scenario...
ASA 5510 FW v7.2 at head office
800 series routers at remote offices.
All remote sites of establish a Site to Site IPSec vpn to head office ASA.
They want to increase the speed over the VPN's so they have commisioned a new internet link at head office. They want to migrate all VPN's across to the new link.
Both Internet links are connected directly to the ASA, both links have a security level of 0. The ASA has one connection to the Inside. We use floating static routes to determine which link is used for routing outbound traffic to the internet.
ip address 126.96.36.199 255.255.255.248
ip address 10.10.10.10 255.255.0.0
ip address 188.8.131.52 255.255.255.240
Is it possible to simply re-configure the ASA to allow IPSec, ISAKMP policies to terminate on the new interface 'outside-NEW', then one by one change the crypto maps peer statements on each router from 184.108.40.206 to 220.127.116.11? Can I add both, having 18.104.22.168 as backup and 2.2.2. as primary?
I am also planning also that in the interests of uptime, that during the cutover I will be terminating VPN's through 22.214.171.124 and 126.96.36.199 at the same time. Is this possible?
All isakmp, ipsec polices and pre-shared keys would stay the same, the only thing technically that would change is the terminating peer.
Attached is a quick and dirty visio diagram explaining the concept.
you can enable the outside-NEW to listen to isakmp on ASA. also you need to attach the crypto map to outside-NEW as well on ASA.
On the router you can define multiple peers.
Hope this helps.
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
How'd you go with this?
Were you able to run VPN's on the 2 outside interfaces in the end?
If so - what did you do? Were you able to attach the crypto map to multiple interfaces?
To my understanding you should be able to attach the same cryptomap to the other "outside" interface or perhaps alternatively create a new crypto map that you attach only to your new "outside" interface.
Also I think you will probably need to route the remote peer ip of the VPN connection towards the gateway IP address of that new "outside" and also the remote network found behind the VPN connection.
If you attempt to use VPN Client connection instead of L2L VPN connection with the new "outside" interface then you will run into routing problems as naturally you can have 2 default routes active at the sametime (default route would be required on the new "outside" interface if VPN Client was used since you DONT KNOW where the VPN Clients are connecting to your ASA)
Hope this helps
Thanks for that.
Yeah - for my purposes a second link would be purely for a L2L VPN so would be easy for the routing side of things.
I'll have to do some research and determine if we have support staff connecting to the customer RA VPN on the same IP or not.
Anyway, cheers for the heads up.