cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1172
Views
0
Helpful
7
Replies

Please advise on Site 2 Site VPN setup as per in the below image

Ram_ESP
Level 1
Level 1

Please advise on Site 2 Site VPN setup as per in the below image

 

CiscoNW.jpg

7 Replies 7

Hi,
On ASA HO define both IP addresses of ASA BO under the crypto map, it will connect to the first IP address until that fails and connect to the 2nd. E.g. - "crypto map CMAP 1 set peer X.X.X.X Z.Z.Z.Z"

I assume you have IP SLA configured on ASA BO to failover the default route to Z.Z.Z.Z if the first ISP connection fails?

HTH

Hi,

on Cisco ASA HO,I have tried to add IP address X.X.X.X in cryto map under  Z.Z.Z.Z but it throws an error. Then I have created a connection profile separately.

 

First, I have added connection profile via ISP 1 to Y.Y.Y.Y on Cisco ASA BO. Then while adding connection profile via ISP 2 to Y.Y.Y.Y it shows overlaps and the connection profile via ISP 1 was disappeared on the page. Now if I disable ISP 2 interface then I see IPSec via ISP 1 but no TX on Cisco ASA BO and no RX on Cisco ASA HO. 

 

I feel fail over works but I have missed something. Please help.

 

Thanks,

Ram

What is the error(s)?
Please provide your configuration of the ASAs

Hi, Please let me know which side of Cisco ASA configuration needed. Let me know if you need complete configuration or only IPSec?

 

Thanks,

Ram

balaji.bandi
Hall of Fame
Hall of Fame

if you have overlap IP you can NAt again, here is the good document how you can deploy for that overlap IP:

 

https://www.petenetlive.com/KB/Article/0001446

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi All,

 

My ISP 2 internet communicated with HO via S2S. But I see only TX on BO S2S and not RX and in HO Cisco ASA, I see RX and not TX.

 

What could be the reason?

 

Thanks, Ram

This could be a NAT issue, you would to have NAT exemption rules between the 2 networks to ensure that traffic is not unintentially natted. Provide the output of "show nat detail"

It could be a routing issue on the remote ASA, confirm the routing on the local ASAs is correct. Does the devices you are attempting to ping have a route via the local ASA?

Provide your full configuration of the ASA and the output of "show crypto ipsec sa" from both ASA.
Run packet-tracer on both ASA and upload the output.