Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
3
Replies

BACK for Site to Site VPN

Go to solution
Zahan Al-Rashid
Level 1
Level 1

‎03-21-2014 03:51 AM

Hi, 

 

I was wondering is it possible to create a backup for my site to site VPN connection? the remote end has a cisco Router whiich currently has a VPN connection to an ASA 5500. How would I know configure the same router to use another VPN on a different ASA 5500 should the ASA 5500 not work? Will simply putting adding another Peer address on the ISAKMP policy do or do I need to create a new crypto map or is it simply not possible?


Thanks for your assistance in advance. 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-22-2014 01:04 PM

On the router side it should work to have a second peer defined in the isakmp policy and in the set peer of the crypto map. I might prefer to configure a second instance within your existing crypto map to set up a second tunnel which would go to the other ASA. I have set up quite a few customer remote sites with two tunnels to provide failover capability and two instances within the route map works fine.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-22-2014 01:04 PM

On the router side it should work to have a second peer defined in the isakmp policy and in the set peer of the crypto map. I might prefer to configure a second instance within your existing crypto map to set up a second tunnel which would go to the other ASA. I have set up quite a few customer remote sites with two tunnels to provide failover capability and two instances within the route map works fine.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Zahan Al-Rashid
Level 1
Level 1
In response to Richard Burts

‎03-28-2014 05:23 AM

Thanks for the reply Rick, 


How would you route the traffic outside once VPN traffic comes in if both ASA's are interconnected by WAN links? Should I just add static routes on both to route incoming VPN outside their own outside interface or would that cause asymetric VPN traffic flows which would cause connection problems?

 

Thanks!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Zahan Al-Rashid

‎03-28-2014 05:47 AM

There probably are some things about your environment that I do not know and which might affect the answer. But I would think that you would want to have routing logic on each ASA. If the ASA were going to route traffic to outside that had been received on VPN would you do address translation for the traffic? If so it seems to me that this would assure that response traffic would come back to the right ASA and would take care of any issue about assymetric traffic.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents