cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1573
Views
8
Helpful
9
Replies
Beginner

Redundant VPN design

Hi all,

I need a solution for this implementation:

2 sites

2 internet connections each site (different providers)

1 ASA in each site

I need a config that allows me to have redundant VPN connections from one site to the other. I need to have a VPN up using, let's say, internet connection A from site 1 and internet connection from site 2 and if internet connection A from site 1 goes down the VPN connects using internet connection B from site 1 to internet connection A from site 2. This must be done without user intervention.

If I can't do it with the ASA what can I use in order to achive this scenario? Other router (2900), some kind of load balancing?

I'd like to use the ASA because I have a lot of inbound NAT configured and keeping the public IPs on the ASA outside interface would be great.

Many thanks, regards.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Redundant VPN design

Yes.

You can apply the same crypto map on both interfaces.

Also... if you have many VPN peers, they can terminate on the same crypto map as well.

If you need for example many VPN Site-to-Site tunnels, you create a single crypto map with different sequence numbers to accept all VPN connections.

Federico.

View solution in original post

9 REPLIES 9
Highlighted

Re: Redundant VPN design

Hi,

You can do it with the ASA's on each side.

Both ASA have two internet connections.

They will use one Internet connection as the primary link to establish the VPN to each other.

The secondary Internet connection will be used as a backup by means of a static route with higher metric to trigger the tunnel when the primary link goes down.

You need static routes and IP SLA to track the connections.

Federico.

Highlighted
Enthusiast

Re: Redundant VPN design

Highlighted
Beginner

Re: Redundant VPN design

Hi all,

Thanks for your input.

I know I can have 2 different ISP with SLA and static routes, but can I have 2 VPNs with the same crypto map?

Regards

Highlighted

Re: Redundant VPN design

Yes.

You can apply the same crypto map on both interfaces.

Also... if you have many VPN peers, they can terminate on the same crypto map as well.

If you need for example many VPN Site-to-Site tunnels, you create a single crypto map with different sequence numbers to accept all VPN connections.

Federico.

View solution in original post

Highlighted
Beginner

Re: Redundant VPN design

Thanks for your replys.

I'm waiting for 2 boxes in order to do some labs and test it outside real world.

Many thanks

PS: for reference to others:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/ike.html#wp1121157

Highlighted
Beginner

Re: Redundant VPN design

Hi,

I was just wondering if you ever got this to work after your testing.  I am trying to do the same thing but can't seem to pass traffic on the backup (redundant) ISP connection.  The tunnel comes up but will not pass any traffic.  I am able to pass traffic with no problem when the primary ISP is up and connected through the outside interface.

Thanks!

Highlighted
Beginner

Re: Redundant VPN design

Hi,

I never had the chance to test it because one of the firewalls I got was broken.

I still have this pending of testing but I need to get 2 ASA firewalls... and it's not easy, because I need to implement this on a customer and I don't want to go out and test it live.

Can you share your configs?

Regards

Highlighted
Beginner

Re: Redundant VPN design

Thanks for the reply.

I actually just got this working.  My problem was that I created 2 separate crypto map entries with different values assigned for each peer.  I needed to just define 1 crypto map per interface (outside and backup) and add each of the ISP public IP's on the same line (the set peer command).

Once I did that everything started working fine.  I think I was creating 2 separate VPN tunnels by creating 2 different peers and the firewalls were getting confused on where to send the traffic.  The way I have it working now just creates 1 tunnel and is valid for either public IP.

In short, I can confirm this works and is a great solution in our situation!

Highlighted
Beginner

Re: Redundant VPN design

Hi,

Glad you made it.

Can you share the configs (removing the sensitive info)?

Many thanks