Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2294
Views
0
Helpful
4
Replies

cisco asa 5510 IPsec tunnel to two sites with juniper netscreen

angelopedro
Level 1
Level 1

‎10-07-2010 08:41 PM - edited ‎02-21-2020 04:53 PM

I'm trying to setup two tunnels from a cisco asa 5510 to two other sites with juniper netscreen:

siteA: juniper, network 10.10.0.0/16

siteB: juniper, network 10.11.0.0/16

siteC: asa 5510, network 10.12.0.0/16

siteA and siteB has a private WAN link and is running OSPF.

My plan is to create the tunnel siteA to siteC and allow both siteA&B subnets (10.10.0.0/15)

And also create a second tunnel siteB to siteC and also allow both siteA&B subnets (10.10.0.0/15)

The reason why I need this setup is for redundancy.

If siteA ISP goes down, siteC still have access to both sites through siteB, and if siteB ISP goes down siteC still have access to both sites through siteA.

If I create the two tunnels in the ASA, how would it know which peer to use if both peers have the same remote subnet?

Can I create static route in the ASA pointing to siteA's public address and use static route monitoring for failover?

"route outside 10.10.0.0 255.254.0.0 peerA_public_IP 10 track 1"

I need the ASA 5510 tunnel connection type to be bidirectional so I cannot use multiple peers in a single crypto map.

see attached diagram. thanks

Labels:
Preview file
73 KB
0 Helpful
4 Replies 4

mmandeka
Cisco Employee
Cisco Employee

‎10-07-2010 11:16 PM

Hi,

To answer your questions:

Question 1: If I create the two tunnels in the ASA, how would it know which peer to use if both peers have the same remote subnet?

Answer: In the crypto map created on the asa, you need to specify 2 peers. The syntax for this would look like:

crypto map <> <> set peer y.y.y.y z.z.z.z

y.y.y.y = Primary ASA

z.z.z.z = Secondary ASA

The ASA always will try to peer with y.y.y.y. If y.y.y.y is not available, then it tries to peer with z.z.z.z

So your primary ISP needs to be specified first, and then you specify the secondary ISP.

And since both Site A and B know about each other through OSPF, there wont be any problems in the remote subnet being 10.10.0.0 / 15.

Question 2: Can I create static route in the ASA pointing to siteA's public address and use static route monitoring for failover?
"route outside 10.10.0.0 255.254.0.0 peerA_public_IP 10 track 1"

Answer: SLA monitoring is not required here as we have tunnels from both site A and B terminating on a single interface of the ASA. SLA monitoring provides interface redundancy and this is not the case in your scenario.

Question 3: I need the ASA 5510 tunnel connection type to be bidirectional so I cannot use multiple peers in a single crypto map.

Answer: As mentioned earlier, you can specify 2 peers in a single crypto map.

In earlier codes, when you specify 2 peers in a single crypto map, only the remote end can initiate connection. In our example, only site A and B can initiate connection. Site C cannot initiate the connection. But in later versions of code, the tunnel can be initiated bidirectionally and it works just fine.

Please let me know if this answers your query.

Regards,

Manisha Mandekar

0 Helpful

angelopedro
Level 1
Level 1
In response to mmandeka

‎10-10-2010 07:54 AM

Thanks, I read about the multiple peer option but after reading Cisco Press Cisco ASA All-in-One... 2nd Edition published in 2010, it mentioned in p765 that:

"If you need to specify multiple peers in your crypto map sequence number for redundancy, you must set your connection type to originate-only mode."

btw, I'm running ASA v8.2. I'll give it a try.

thanks again,

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee
In response to angelopedro

‎10-10-2010 01:25 PM

Hi Angelo,

I'm don't think the originate only option would workout in this scenario since this option is supported between 2 cisco security devices only, as documented in this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

We probably should be looking at other alternatives. Would let u know if i find one for this backup vpn scenario.

Cheers,

Rudresh V

0 Helpful

mmandeka
Cisco Employee
Cisco Employee

‎10-11-2010 06:55 PM

Hi Angelo,

8.2 supports bidirectional tunnel initiation.

Here's the output from a ASA running 8.2(2)

ciscoasa1(config)# crypto map vpnmap 10 set peer 1.1.1.1 2.2.2.2

ciscoasa1(config)# crypto map vpnmap 10 set connection-type ?

configure mode commands/options:
  answer-only     Answer only
  bidirectional   Bidirectional
  originate-only  Originate only

Here is more information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238363

But i guess this is not supported with a 3rd party device. Let me check on what other alternatives are avilable

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents