Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
193
Views
0
Helpful
1
Replies

Redundant s2s peering with dynamic public IP

Cieciaczek1
Level 1
Level 1

‎05-28-2015 02:12 PM

I was asked to implement backup s2s tunnels between HQ and remote site.

 

At HQ there is a 5510 ASA with a fixed public IP address on outside interface.

 

At Remote there is ASA 5505 with a fixed public IP address on outside (towards fiber internet access) and a 2921 rotuer with 4G module.

The 4G module is assigned a dynamic public IP.

 

The goal is to have a primary s2s between ASA at HQ and ASA at Remote and a secondary s2s between ASA at HQ and 4G at Remote.

Configuration on Remote should be simple:

  • S2s on ASA5505 peering with public IP at HQ
  • S2s on c2921 (via 4G) peering with public IP at HQ
  • Static route towards ASA5505 with tracking on internet access via fiber (if connection is lot traffic will be rerouted to 4G module on 2921)

 

The problem is, however, on ASA 5510 at HQ.

If there were 2 fixed public IPs at Remote (one on ASA and one on 4G) the setup at HQ would need to include:

 

#crypto map NAME xx set peer “primary peer” “secondary peer”

 

In my case the secondary IP is dynamic IP and it’s configurable with a command above.

Anyone ever did it? Please let me know if you have any tips.

 

Many thanks to all who at least read this post J

Labels:
0 Helpful
1 Reply 1

Andres Villarroel
Level 1
Level 1

‎05-29-2015 10:05 AM

Hello

 

you need to use the dynamic crypto map. The following document will give you an idea on how this work.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

 

Being this said, you can configure the crypto dynamic map and bring the tunnel up BUT if the proxy IDs are the same, you might generated a conflict between the static crypto map used for the remote 5505 and the crypto dynamic map for the router.

A way to workaround this would be configuring a NAT in the router so the "remote proxy ID" in the 5510 is different for the static crypto map and the dynamic crypto map.

 

I hope this helps.

 


 

0 Helpful
Customers Also Viewed These Support Documents