Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
1
Replies

Multi VPN Data Center Solution

BHconsultants88
Level 1
Level 1

‎12-10-2019 11:18 AM

Hi everyone, I hope you're all well. This is not so much a question, but I'd be interested to know your thoughts on best practice for a request I've been asked to work on.

Attached is a very crude network diagram (apologies!).

 

We have two DC's - DCR and DCS. We have a customer called Mobile City. Currently there's an IPSec VPN tunnel between Checkpoint DCR and Cisco ASA Mobile City. A lot of O365 traffic passes through this tunnel so it's rather risky not having any resilience. Hence, my request.

 

I've been asked to add a second tunnel between Checkpoint DCR and Cisco ASA Mobile City, then also two brand new tunnels between Checkpoint DCS and Mobile City. It's a fairly straightforward request but I just wanted to ask whether there are any best practices when it comes to this type of request.

 

My initial thoughts are that I will need the following:

 

  • New interface with public facing IP address on DCR
  • 2 x new interfaces with public facing IP addresses on DCS
  • Can I use the LAN range (e.g. 172.10.3.0/24) in the existing tunnel for all four tunnels or would they need to be separate?
  • Can the tunnels terminate on the same interface at DCR/DCS?

I'm confident I can get the tunnels up, but just wanted clarity on any further configuration on the LAN side, i.e routing.

 

Many thanks in advance.

B

Labels:
Preview file
25 KB
0 Helpful
1 Reply 1

Sheraz.Salim
VIP
VIP

‎12-10-2019 12:21 PM

we had a kind of similar setup. would be ideal if you have a different ISP provide cable running to your all firewall (Example ASA).

 

for example,

ASA

!

interface gig0/0

 nameif outside

 ip address 1.1.1.1 255.255.255.0

 no shut

!

interface gig0/1

 nameif backup

 ip address 2.2.2.2 255.255.255.0

 no shut

!

other question is what ikev version you running version 1 or version 2? ideally you should run version 2. other thing is you can not run redundancy crypto map on ikev2. here 

 

also you can run ip sla to track your vpn if one goes down the other will come up. here 

 

 

now the interesting bit as your interested subnet for both tunnel would be same so what you can do is to NAT it. hide the real subnet and translate it to mapped natted ip.

example

!

object network Real_IP

 host 192.168.100.1

!

object network Mapped_IP

 host 172.16.1.1

!

object network Remote_IP

 host 10.10.10.1

!

nat (in,out) source static Real_IP Mapped_IP destin Remote_IP Remote_IP no-proxy-arp route-lookup.

!

hope this make sense.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents