10-05-2011 06:58 AM
Hi all,
I have a ASA 5500 series firewall and need to define another peer ip for site2sitevpn connection.Actually my aim is, ASA tries first peer ip of site2site tunnel, when ASA can not not reach this ip, try to reach another ip which i defined before.I can configure this scenerio on Cisco Router with this commands;
crypto map tohub 1 ipsec-isakmp
set peer 10.1.1.1 default
set peer 10.2.2.2
but i wonder that can i do that on ASA?
Thanks.
Best Regards.
Solved! Go to Solution.
10-05-2011 07:14 AM
Shane,
You can configure multiple IP addresses under same set peer entry on ASA, but it will not work the same as on IOS with preferred peer, it will cycle between the defined peers.
Marcin
10-05-2011 07:14 AM
Shane,
You can configure multiple IP addresses under same set peer entry on ASA, but it will not work the same as on IOS with preferred peer, it will cycle between the defined peers.
Marcin
10-05-2011 07:42 AM
Thank you Marcin,
You mean, when we use set peer 192.168.1.2 172.29.68.12 , there is no preemption mechanism between those IP's, acting like round robin algoritm right?
10-05-2011 08:09 AM
Shane,
Yup, I believe the command reference is accurate on this one:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2278871
Configuring multiple peers is equivalent to providing a fallback list. For each tunnel, the security appliance attempts to negotiate with the first peer in the list. If that peer does not respond, the security appliance works its way down the list until either a peer responds or there are no more peers in the list. You can set up multiple peers only when using the backup LAN-to-LAN feature (that is, when the crypto map connection type is originate-only). For more information, see the
crypto map set connection-type
command.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide