02-16-2013 06:34 AM
Hi I have ASA5505 in EasyVPN client mode with NEM, which terminates over publick network to ASA5585(EasyVPN server). On ASA5505 I have two ISP, SLA - which monitor my ISP1 and in case it fail, new default route installs to ISP2(vlan2), but VPN tunnel over ISP2(interface vlan3) link does not comes UP.
interface Vlan1
nameif inside
security-level 100
ip address 10.11.248.50 255.255.255.0
!
interface Vlan2
no forward interface Vlan3
nameif outside
security-level 0
ip address 19x.18x.21x.242 255.255.255.252
!
interface Vlan3
nameif backup
security-level 2
ip address 9x.2x.2x.7x 255.255.255.252
From my perspective it happens because EasyVPN client can ONLY make VPN tunnel if traffic go from interface with highest security level(Vlan 1 in my case) to lowest (vlan 2 in my case). Is there any ways to use this EasyVPN technology on client device with redundant ISPs?
02-17-2013 02:44 AM
You can try to change your backup interface to have the same security level as the outside. There is no reason to have different security level as you are not passing traffic between the outside and the backup interface anyway.
02-17-2013 05:13 AM
As you can see below, for some reason it can't
KRD-UKGK(config)# int vlan 3
KRD-UKGK(config-if)# secu
KRD-UKGK(config-if)# security-level 0
ERROR: This configuration cannot be modified with Cisco Easy VPN Remote enabled.
KRD-UKGK(config-if)# exi
KRD-UKGK(config)# no vpncli
KRD-UKGK(config)# no vpnclient ena
KRD-UKGK(config)# no vpnclient enable
KRD-UKGK(config)# int vlan 3
KRD-UKGK(config-if)# security-level 0
KRD-UKGK(config-if)# exi
KRD-UKGK(config)# vpnclient enable
ERROR: Unable to determine Easy VPN Remote internal and external interfaces: multiple interfaces with the same security levels.
KRD-UKGK(config)# exi
KRD-UKGK# sh run | i vpn
vpnclient server 19x.1x.1x0.5
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup ut password *****
vpnclient username ut password *****
webvpn
KRD-UKGK# conf t
KRD-UKGK(config)# int vlan 3
KRD-UKGK(config-if)# se
KRD-UKGK(config-if)# secu
KRD-UKGK(config-if)# security-level 3
KRD-UKGK(config-if)# exi
KRD-UKGK(config)# vpnclient enable
KRD-UKGK(config)# exi
KRD-UKGK#
02-17-2013 06:02 AM
OK, pls kindly change the security level back to the original value, ie: 2.
You would also need to configure "backup interface" command on the outside interface to identify that the "backup" interface is the backup.
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/b.html#wp1359012
02-17-2013 06:40 AM
Strange thing but I have no this comman under interface level CLI. May be it's because of my licence
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
02-17-2013 04:12 PM
With Easy VPN, you would need the "backup interface" command, however, with that command, you would need to have "Security plus" license because it needs to become a full interface instead of partial interface where it can only forward traffic to one other interface.
Let's try this final option:
interface Vlan2
nameif outside
backup interface vlan 3
security-level 0
ip address 19x.18x.21x.242 255.255.255.252
!
interface Vlan3
nameif backup
no forward interface Vlan2
security-level 2
ip address 9x.2x.2x.7x 255.255.255.252
02-17-2013 09:11 PM
Hi, I just don't have this
backup interface vlan 3
command under interface configuration mode
Also I want to ask you, in this url which you provide to me I see this:
The Security Plus license no longer limits the number of VLAN interfaces to 3 for normal traffic, 1 for a backup interface, and 1 for failover; you can now configure up to 20 interfaces without any other limitations. Therefore the
backup interface
command is not required to enable more than 3 interfaces.
My questios is: Why I need SecPLUS license to enable(backup interface) if this command (backup interface
) does not requare to enable more than 3 interfaces.
02-17-2013 09:15 PM
You would need it for Easy VPN as stated further down the line:
.
"When you configure Easy VPN with the backup interface command, if the backup interface becomes the primary, then the adaptive security appliance moves the VPN rules to the new primary interface."
What version of ASA are you running?
02-17-2013 10:59 PM
UKGK# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
UKGK up 1 day 12 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 442b.037a.0c6f, irq 11
1: Ext: Ethernet0/0 : address is 442b.037a.0c67, irq 255
2: Ext: Ethernet0/1 : address is 442b.037a.0c68, irq 255
3: Ext: Ethernet0/2 : address is 442b.037a.0c69, irq 255
4: Ext: Ethernet0/3 : address is 442b.037a.0c6a, irq 255
5: Ext: Ethernet0/4 : address is 442b.037a.0c6b, irq 255
6: Ext: Ethernet0/5 : address is 442b.037a.0c6c, irq 255
7: Ext: Ethernet0/6 : address is 442b.037a.0c6d, irq 255
8: Ext: Ethernet0/7 : address is 442b.037a.0c6e, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
02-18-2013 12:45 AM
Same thing on other 5505 ASA with different software (there is no BACKUP command)
SPB-Developer1(config)# int vlan 2
SPB-Developer1(config-if)# ba
SPB-Developer1(config-if)# ba?
configure mode commands/options:
banner
SPB-Developer1(config-if)# exi
SPB-Developer1(config)# exi
SPB-Developer1# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)
Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide