cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
605
Views
0
Helpful
4
Replies

ASA Pair to Juniper SSG5 Pair

jroy777
Beginner
Beginner

Hello,

 

I have an ASA 5525-x Pair that do Failover with each other and connect to a Juniper SSG-5 pair. There is a VIP on both ends. We now have a secondary ISP (CenturyLink - CL) connected to the ASA pair and if the primary link (Verizon - VZ) fails, we want the tunnel to be rebuilt across the secondary ISP link to the SSG-5 Vip.

Here is what we currently have on ASA side:

crypto ipsec ikev1 transform-set VPN_DENVER esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set VPN_DENVER_AES128 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map denver_map 10 match address acl-denver
crypto map denver_map 10 set pfs
crypto map denver_map 10 set peer 64.78.xxx.xxx
crypto map denver_map 10 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-VZ
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 64.78.xxx.xxx type ipsec-l2l
tunnel-group 64.78.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****

Do I just create a new crypto map like the following?

crypto map denver_map 20 match address acl-denver
crypto map denver_map 20 set pfs
crypto map denver_map 20 set peer 64.78.xxx.xxx
crypto map denver_map 20 set ikev1 transform-set VPN_DENVER_AES128 VPN_DENVER
crypto map denver_map interface outside-VZ
crypto ca trustpool policy
crypto ikev1 enable outside-CL




4 Replies 4

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi @jroy777 

You can specify multi peers under the existing configuration.

 

crypto map denver_map 10 set peer 64.78.xxx.xxx yyy.yyy.yyy.yyy

You would of course need an additional tunnel-group for the additional peer, defining the PSK.

HTH

Thanks, but this would only work unless I had an additional peer. I am using the same VIP IP on the SSG pair from each ISP VIP on the ASA side

Aref Alsouqi
Collaborator
Collaborator

I would try this:

sla monitor 100

 type echo protocol ipIcmpEcho 8.8.8.8 interface outside-VZ

 timeout 1000

 frequency 3

sla monitor schedule 100 life forever start-time now

track 100 rtr 100 reachability

route outside 64.78.xxx.xxx 255.255.255.255 <Verizon next hop> 1 track 100

route outside 64.78.xxx.xxx 255.255.255.255 <CenturyLink next hop> 2

 

Aref Alsouqi
Collaborator
Collaborator


That basically will use the outside-VZ interface to reach the remote Juniper peer, as long as the ICMP traffic can reach Google DNS out of the interface outside-VZ. When the IP SLA fails, the second route through CL, which has a higher administrative distance, will kick in, so the ASA will use it to reach to the Juniper.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers