10-16-2014 10:40 AM
Hello,
I have an existing setup as follows:
HO ASA is directly connected to ISP1 running peer-to-peer VPN with 5 remote sites also having ASAs as endpoints terminating the VPN tunnels. Note that the ISPs at the different remote locations are all different so the peer-to-peer VPN is actually run over the internet.
Because client experiences downtime from ISP1 at HO they went ahead to get 2 new ISPs making 3. A router with additional interface card has been purchased and client wants to configure all 3 ISPs on the HO router in a manner to provide failover from one ISP to the other when there is an issue with the former. VPN traffic between the HO and the sites are what passes through these physical and logical connections.
Task now is to configure the new HO Router with the 3 ISPs such that when ISP1 fails, ISP2 picks up routing traffic. HO ASA will remain in the picture and will maintain its primary function of managing all VPN related traffic between the HO LAN and remote site LAN. Remote site ASAs need to be configured in such a way that they can track when ISP1 at HO is down and accept or initiate VPN traffic from/to the HO via ISP2. I have attached a sketch of what the network topology must look like after the setup is complete.
I have spent some time trying to introduce BGP but the client does not have its own range of public IPs and AS number, so that has been put on ice.
I have also considered DMVPN, but this also is a problem because all the end point devices at the remote sites are all ASA devices.
So i am now stuck and really lost of what next to do. Would appreciate any advice and probably sample configs that can help.
Regards,
Femi
10-17-2014 11:36 AM
Hello,
So i have the following config for the HO Router, a little something i think for the HO ASA, but not a clue on what to do on the remote ASA to allow it monitor all three HO ISPs and know when to route traffic through a working ISP, any ideas please?
:
HO ROUTER
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO_Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
no ip dhcp use vrf connected
!
!
!
no ipv6 cef
!
!
multilink bundle-name authenticated
!
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
!
!
crypto ipsec transform-set AES256SHA esp-aes 256 esp-sha-hmac
mode transport
!
!
crypto keyring ISP1
pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey1
crypto keyring ISP2
pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey2
crypto keyring ISP3
pre-shared-key address 0.0.0.0 0.0.0.0 key tesTkey3
!
!
!
!
crypto isakmp profile ISP1
keyring ISP1
match identity address 0.0.0.0
!
!
crypto isakmp profile ISP2
keyring ISP2
match identity address 0.0.0.0
!
!
!
crypto isakmp profile ISP3
keyring ISP3
match identity address 0.0.0.0
!
!
!
!
crypto ipsec profile IpsecProf1
set transform-set AES256SHA
set isakmp-profile ISP1
!
!
crypto ipsec profile IpsecProf2
set transform-set AES256SHA
set isakmp-profile ISP2
!
!
crypto ipsec profile IpsecProf3
set transform-set AES256SHA
set isakmp-profile ISP3
!
!
!
!
!
interface Tunnel1
bandwidth 2000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpauth
ip nhrp map multicast dynamic
ip nhrp network-id 53
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf 1 area 0
delay 100
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile IpsecProf1
!
interface Tunnel2
bandwidth 2000
ip address 172.16.20.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpaut2
ip nhrp map multicast dynamic
ip nhrp network-id 54
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf 1 area 0
delay 100
tunnel source GigabitEthernet0/2
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile IpsecProf2
!
interface Tunnel3
bandwidth 2000
ip address 172.16.30.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication nhrpaut3
ip nhrp map multicast dynamic
ip nhrp network-id 55
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
ip ospf 1 area 0
delay 100
tunnel source FastEthernet0/0/0
tunnel mode gre multipoint
tunnel key 3
tunnel protection ipsec profile IpsecProf3
!
!
!
!
interface GigabitEthernet0/0
desc To ASA
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip ospf 1 area 0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
desc ISP1
ip address a.a.a.2 255.255.255.254
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
interface GigabitEthernet0/2
desc ISP2
ip address b.b.b.2 255.255.255.254
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
interface FastEthernet0/0/0
desc ISP3
ip address c.c.c.2 255.255.255.254
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
router ospf 1
default-information originate always
!
ip nat inside source route-map EXIT_ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map EXIT_ISP2 interface GigabitEthernet0/2 overload
ip nat inside source route-map EXIT_ISP3 interface FastEthernet0/0/0 overload
ip forward-protocol nd
ip classless
!
!
ip sla responder
!
!
ip sla 1
icmp-echo a.a.a.1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo b.b.b.1
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo c.c.c.1
ip sla schedule 3 life forever start-time now
!
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
track 30 ip sla 3 reachability
delay down 1 up 1
!
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 a.a.a.1 track 10
ip route 0.0.0.0 0.0.0.0 b.b.b.1 track 20
ip route 0.0.0.0 0.0.0.0 c.c.c.1 track 30
ip route 172.16.10.0 255.255.255.0 a.a.a.1
ip route 172.16.20.0 255.255.255.0 b.b.b.1
ip route 172.16.30.0 255.255.255.0 c.c.c.1
!
!
!
!
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
!
route-map EXIT_ISP1 permit 10
match ip address 110
match interface GigabitEthernet0/1
!
route-map EXIT_ISP2 permit 10
match ip address 110
match interface GigabitEthernet0/2
!
route-map EXIT_ISP3 permit 10
match ip address 110
match interface FastEthernet0/0/0
!
!
!
!
!
control-pane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
**************************************************************************************
HO ASA
interface GigabitEthernet0/0
ip address 10.0.1.2 255.255.255.0
nameif outside
security-level 0
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco123
speed auto
duplex auto
!
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
nameif inside
security-level 100
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco123
speed auto
duplex auto
!
!
router ospf 1
network 10.0.1.0 255.255.255.0 area 0
network 192.168.0.1 255.255.255.0 area 0
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
!
ip forward-protocol nd
access-group OUTSIDE-IN in interface outside
!
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide