cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
231
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA Pair to Juniper SSG5 Pair

Hello,

 

I have an ASA 5525-x Pair that do Failover with each other and connect to a Juniper SSG-5 pair. There is a VIP on both ends. We now have a secondary ISP (CenturyLink - CL) connected to the ASA pair and if the primary link (Verizon - VZ) fails, we want the tunnel to be rebuilt across the secondary ISP link to the SSG-5 Vip.

Here is what we currently have on ASA side:

crypto ipsec ikev1 transform-set VPN_DENVER esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set VPN_DENVER_AES128 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map denver_map 10 match address acl-denver
crypto map denver_map 10 set pfs
crypto map denver_map 10 set peer 64.78.xxx.xxx
crypto map denver_map 10 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-VZ
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 64.78.xxx.xxx type ipsec-l2l
tunnel-group 64.78.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****

Do I just create a new crypto map like the following?

crypto map denver_map 20 match address acl-denver
crypto map denver_map 20 set pfs
crypto map denver_map 20 set peer 64.78.xxx.xxx
crypto map denver_map 20 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-CL




4 REPLIES 4
Highlighted
VIP Mentor

Hi @jroy777 

You can specify multi peers under the existing configuration.

 

crypto map denver_map 10 set peer 64.78.xxx.xxx yyy.yyy.yyy.yyy

You would of course need an additional tunnel-group for the additional peer, defining the PSK.

HTH

Highlighted

Thanks, but this would only work unless I had an additional peer. I am using the same VIP IP on the SSG pair from each ISP VIP on the ASA side

Highlighted
Rising star

I would try this:

sla monitor 100

 type echo protocol ipIcmpEcho 8.8.8.8 interface outside-VZ

 timeout 1000

 frequency 3

sla monitor schedule 100 life forever start-time now

track 100 rtr 100 reachability

route outside 64.78.xxx.xxx 255.255.255.255 <Verizon next hop> 1 track 100

route outside 64.78.xxx.xxx 255.255.255.255 <CenturyLink next hop> 2

 

Highlighted
Rising star


That basically will use the outside-VZ interface to reach the remote Juniper peer, as long as the ICMP traffic can reach Google DNS out of the interface outside-VZ. When the IP SLA fails, the second route through CL, which has a higher administrative distance, will kick in, so the ASA will use it to reach to the Juniper.