Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
4
Replies

ASA Pair to Juniper SSG5 Pair

jroy777
Level 1
Level 1

‎10-28-2020 08:35 PM

Hello,

 

I have an ASA 5525-x Pair that do Failover with each other and connect to a Juniper SSG-5 pair. There is a VIP on both ends. We now have a secondary ISP (CenturyLink - CL) connected to the ASA pair and if the primary link (Verizon - VZ) fails, we want the tunnel to be rebuilt across the secondary ISP link to the SSG-5 Vip.

Here is what we currently have on ASA side:

crypto ipsec ikev1 transform-set VPN_DENVER esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set VPN_DENVER_AES128 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map denver_map 10 match address acl-denver
crypto map denver_map 10 set pfs
crypto map denver_map 10 set peer 64.78.xxx.xxx
crypto map denver_map 10 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-VZ
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 64.78.xxx.xxx type ipsec-l2l
tunnel-group 64.78.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****

Do I just create a new crypto map like the following?

crypto map denver_map 20 match address acl-denver
crypto map denver_map 20 set pfs
crypto map denver_map 20 set peer 64.78.xxx.xxx
crypto map denver_map 20 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-CL




Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-29-2020 12:48 AM - edited ‎10-29-2020 01:10 AM

Hi @jroy777 

You can specify multi peers under the existing configuration.

 

crypto map denver_map 10 set peer 64.78.xxx.xxx yyy.yyy.yyy.yyy

You would of course need an additional tunnel-group for the additional peer, defining the PSK.

HTH

0 Helpful

jroy777
Level 1
Level 1
In response to Rob Ingram

‎10-29-2020 10:13 AM

Thanks, but this would only work unless I had an additional peer. I am using the same VIP IP on the SSG pair from each ISP VIP on the ASA side

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-29-2020 10:45 AM - edited ‎10-29-2020 10:48 AM

I would try this:

sla monitor 100

 type echo protocol ipIcmpEcho 8.8.8.8 interface outside-VZ

 timeout 1000

 frequency 3

sla monitor schedule 100 life forever start-time now

track 100 rtr 100 reachability

route outside 64.78.xxx.xxx 255.255.255.255 <Verizon next hop> 1 track 100

route outside 64.78.xxx.xxx 255.255.255.255 <CenturyLink next hop> 2

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-29-2020 10:48 AM


That basically will use the outside-VZ interface to reach the remote Juniper peer, as long as the ICMP traffic can reach Google DNS out of the interface outside-VZ. When the IP SLA fails, the second route through CL, which has a higher administrative distance, will kick in, so the ASA will use it to reach to the Juniper.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents