07-26-2012 03:14 PM
I have a client with dual ISP connections, one on a 10Mb connection and the other on a backup link that is only a T1.
The client has multiple sites with this identical configuration. The T1 is setup as a backup default route within the ASA's at each location.
Currently they has multiple site-to-site VPN's at each of the locations configured on the 10Mb connection. One of these site-to-sites connects the two offices in question. What is the best way to ensure that we maintain VPN connectivity between the sites in the event of a failure of the 10Mb connection at one of the two locations?
I believe I need to setup an additional crypto map for the Interface connected to the T1 "T1-Interface" and then reference both remote IP's in the "set peer" statements of the two crypto maps.
So, for example:
Site A
Interface Outside
IP Address 1.1.1.1 255.255.255.252
interface Backup-T1
Ip Address 2.2.2.1 255.255.255.252
Interface Inside
Ip address 10.10.1.1 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1 (Used to verify that the default route is present & if not present activates the Backup-T1 route
route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254 additional config steps for this are ommitted for brevity)
crypto map outside_map 1 match address office_b_inside_acl
crypto map outside_map 1 set peer 3.3.3.1 4.4.4.1
crypto map outside_map 2 match address additional_l2l_acl
crypto map outside_map 2 set peer "additional location ip"
crypto map oustide_map interface Outside
crypto map backupT1_map 1 match address office_b_inside_acl
crypto map backupT1_map 1 set peer 3.3.3.1 4.4.4.1
crypto map backupT1_map 2 match address additional_l2l_acl
crypto map backupT1_map 2 set peer "addtional location ip"
crypto map backupT1_map interface Backup-T1
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
pre-shared-key letmein
tunnel-group 4.4.4.1 type ipsec-l2l
tunnel-group 4.4.4.1 ipsec-attributes
pre-shared-key letmein
Site B
Interface Outside
IP Address 3.3.3.1 255.255.255.252
interface Backup-T1
Ip Address 4.4.4.1 255.255.255.252
Interface Inside
Ip address 10.10.2.1 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1 (Used to verify that the default route is present & if not present activates the Backup-T1 route
route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254 additional config steps for this are ommitted for brevity)
crypto map outside_map 1 match address office_a_inside_acl
crypto map outside_map 1 set peer 1.1.1.1 2.2.2.1
crypto map outside_map 2 match address additional_l2l_acl
crypto map outside_map 2 set peer "additional location ip"
crypto map oustide_map interface Outside
crypto map backupT1_map 1 match address office_a_inside_acl
crypto map backupT1_map 1 set peer 1.1.1.1 2.2.2.1
crypto map backupT1_map 2 match address additional_l2l_acl
crypto map backupT1_map 2 set peer "addtional location ip"
crypto map backupT1_map interface Backup-T1
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
pre-shared-key letmein
tunnel-group 4.4.4.1 type ipsec-l2l
tunnel-group 4.4.4.1 ipsec-attributes
pre-shared-key letmein
Have I got this right based on this example? Any suggestions are much appreciated.
Thanks,
Sean
07-26-2012 04:04 PM
Hi Sean,
Excelent
I think you should be all set, however I do not see the IP SLA settings.
You have the "track" command, but not the SLA instance, please check this out:
ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example
http://tools.cisco.com/squish/BD68F
This is basically what you need:
sla monitor 123 type echo protocol ipIcmpEcho 10.0.0.1 interface outside num-packets 3 frequency 10
!
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability
!
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
Please adjust the command above to your configuration.
Let me know if you have any questions.
Please rate this post if you find it helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: