Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1247
Views
0
Helpful
9
Replies

Multiple Peer on Single crypto configuration

Anand Narayana
Level 6
Level 6

‎07-09-2009 04:54 AM

I have Cisco Pix 515E ver 7.2, below is the configuration i have set to acheive vpn failover even if one ISP fails, but this doesn't work. All it works only if i put in bi-directional irrespective of any 1 IP I have in that. Any suggestion?

crypto map pix-to-pix 36 match address Anand

crypto map pix-to-pix 36 set connection-type originate-only

crypto map pix-to-pix 36 set peer 1.1.1.1 2.2.2.2

crypto map pix-to-pix 36 set transform-set ESP-3DES-MD5

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key 123456

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key 123456

Labels:
0 Helpful
9 Replies 9

Ivan Martinon
Level 7
Level 7

‎07-21-2009 07:46 AM

How are you defining this "VPN Failover"? which has the dual ISP? if the remote end is the one that will have 2 possible ip addresses then this configuration is needed. Can you be a bit more specific?

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Ivan Martinon

‎07-21-2009 08:13 AM

Dual ISP is on the remote end. On my end it is Cisco pix with one ISP.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to Anand Narayana

‎07-21-2009 08:17 AM

Then this is the needed configuration.

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Ivan Martinon

‎07-21-2009 08:21 AM

crypto map pix-to-pix 36 set connection-type originate-only

with this configuration the tunnel goes down when 2 ip's are added.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to Anand Narayana

‎07-21-2009 08:23 AM

The remote end has to have answer only for the tunnel to be started, and you need to have public ip address to public ip address traffic definition if the remote end is not an ASA, if it was an ASA as long as you have originate only on one side and answer only on the other end the Public to public ASA is automatically created.

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Ivan Martinon

‎07-21-2009 08:29 AM

The remote end is Fortinet firewall device. How will I define "public ip address to public ip address traffic definition". I am not clear with this :-(

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to Anand Narayana

‎07-21-2009 08:31 AM

So say for instance, if your ASA has ip address 4.4.4.4 and your Fortinet has 3.3.3.3 and 2.2.2.2 your crypto access list on your ASA would like like this:

access-list crypto permit ip host 4.4.4.4 host 3.3.3.3

access-list crypto permit ip host 4.4.4.4 host 2.2.2.2

access-list crypto permit ip local network remote network

And the fortinet should emulate this.

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Ivan Martinon

‎07-21-2009 08:35 AM

Thanks for the information. I will try this tomorrow when i am in office.

0 Helpful

jwalker
Level 3
Level 3
In response to Anand Narayana

‎07-23-2009 07:06 AM

I did something similar to this where the remote end was an ASA 5505. The 5505 has the dual-isp option with the sla monitoring. On the home end, I had to set it to originate only. Additionally, I had to create a "ping script" that would create interesting traffic to automatically rebuild the tunnel (interesting traffic).

0 Helpful
Customers Also Viewed These Support Documents
Top