Solved: How to backup Remote Access VPN in a PIX

mserrao · ‎05-17-2012

Hi all,

I've got a Remote Access VPN up and running in a PIX Firewall. The VPN session are establish trough the outside (connect to an ISP) interface.

Now I want to backup this connection with another ISP. Obviously I need to configure another interface (with public IP address), set the “crypto map” and the “crypto isakmp” to be enable in this new interface, but the problem is the route (the default gateway must change when the outside interface is not available).

What are the options to backup the remote access VPN? Is it possible to do that configuration?

Thx in advance

/mserrao

Kevin P Sheahan · ‎05-17-2012

To setup interface tracking on your ASA...

sla monitor 1

type echo protocol ipIcmpEcho 4.2.2.1 interface OUTSIDE1

frequency 30

!

sla monitor 2

type echo protocol ipIcmpEcho 4.2.2.2 interface OUTSIDE2

frequency 30

!

track 1 rtr 1 reachability

track 2 rtr 2 reachability

!

route OUTSIDE1 0.0.0.0 0.0.0.0 1 track 1

route OUTSIDE2 0.0.0.0 0.0.0.0 2 track 2

!

route OUTSIDE1 4.2.2.1 255.255.255.255 1

route OUTSIDE2 4.2.2.2 255.255.255.255 1

Is that what you are looking for?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

View solution in original post

rizwanr74 · ‎05-17-2012

Hi Mserrao,

Please follow the link below, which explains in step by step method and descriptive explantions making primary and backup ISP redundance.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

As far as your VPN client are concern, if you have FQDN name for your public address (for vpn client use), then you must associate have both of your public IP(s) (i.e. new or old public IPs) be assign to your vpn's FQDN, so that when one circuit is not available but your vpn-client software will try to second public IP, which is also pointed by FQDN.

Hope this helps.

Thanks

Rizwan Rafeek

View solution in original post

Kevin P Sheahan · ‎05-17-2012

To setup interface tracking on your ASA...

sla monitor 1

type echo protocol ipIcmpEcho 4.2.2.1 interface OUTSIDE1

frequency 30

!

sla monitor 2

type echo protocol ipIcmpEcho 4.2.2.2 interface OUTSIDE2

frequency 30

!

track 1 rtr 1 reachability

track 2 rtr 2 reachability

!

route OUTSIDE1 0.0.0.0 0.0.0.0 1 track 1

route OUTSIDE2 0.0.0.0 0.0.0.0 2 track 2

!

route OUTSIDE1 4.2.2.1 255.255.255.255 1

route OUTSIDE2 4.2.2.2 255.255.255.255 1

Is that what you are looking for?

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

mserrao · ‎05-18-2012

Thx for your helpful reply

Regards

/mserrao

rizwanr74 · ‎05-17-2012

Hi Mserrao,

Please follow the link below, which explains in step by step method and descriptive explantions making primary and backup ISP redundance.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

As far as your VPN client are concern, if you have FQDN name for your public address (for vpn client use), then you must associate have both of your public IP(s) (i.e. new or old public IPs) be assign to your vpn's FQDN, so that when one circuit is not available but your vpn-client software will try to second public IP, which is also pointed by FQDN.

Hope this helps.

Thanks

Rizwan Rafeek

mserrao · ‎05-18-2012

Thx for your helpful reply

Regards

/mserrao