10-31-2008 06:16 PM
we have a two ISP solution, using cisco 5505 and work fine with tracking.
(route outside 0.0.0.0 0.0.0.0 a.b.c.d 1 track 1)
We have site to site VPN and this use Primary ISP's IP.Now we need to configure the same with ISP2 IP , incase ISP1 is done, we still have VPN Link is up with backup line with ISP2.
Is this possible as destination site is just one IP.
10-31-2008 06:38 PM
Good evening,
Yes there is a solution for this... what is the device the ASA 5505 is connecting to?
If its another ASA or a IOS router you can make the ASA 5505 a EZVPN client in network extension mode... that way you can connect the ASA to the vpn peer from either ISP 1 or 2 (depending on which one is active per the tracking).
Here is a link that explains this feature
Note: only the ASA 5505's can do EZVPN client
This link should help you get started!
-Joe
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html
Thanks!
10-31-2008 06:49 PM
Hi Joe,
Thanks for the reply.Currently i have a site to site vpn establish through ISP 1.But in case of ISP 1 down, i have no VPN through ISP2.
So i need to configure VPN through ISP2 as well.
(In our case we have NATed ipsec traffic requested by remote datacentre)
LAN---ASA--ISP1----internet
|
--ISP2(backup)----internet
10-31-2008 06:57 PM
Exactly...
the ASA 5505 acting as an ezvpn client will establish a "lan-to-lan" tunnel when in "network extension mode" over either ISP 1 or 2 using the active default route to determine the pay to the ipsec peer.
You will need to config the other side as an IPSEC ezvpn server (either a PIX, ASA, or IOS router or VPN 3000 concentrator can do this).
Once the ASA 5505 connects, its private subnet will be learned and the tunnel will come up.
Read through that doc link I posted and let us know if we can be of a help. This weekend I'll have time to give out some sample configs from my security workbook if necessary.
-Joe
10-31-2008 08:37 PM
So you mean to say, once we configure L2L using intface "outside" (IP from ISP1), we can also configure the same L2L to fall back with ISP2 for interface "backup"
--
Is it just apply
isakmp enable outside
crypto map outside_map interface outside
and
isakmp enable backup
crypto map outside_map interface backup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide