Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2041
Views
8
Helpful
9
Replies

Redundant VPN design

Go to solution
rcordeiro
Level 1
Level 1

‎12-08-2010 03:16 PM

Hi all,

I need a solution for this implementation:

2 sites

2 internet connections each site (different providers)

1 ASA in each site

I need a config that allows me to have redundant VPN connections from one site to the other. I need to have a VPN up using, let's say, internet connection A from site 1 and internet connection from site 2 and if internet connection A from site 1 goes down the VPN connects using internet connection B from site 1 to internet connection A from site 2. This must be done without user intervention.

If I can't do it with the ASA what can I use in order to achive this scenario? Other router (2900), some kind of load balancing?

I'd like to use the ASA because I have a lot of inbound NAT configured and keeping the public IPs on the ASA outside interface would be great.

Many thanks, regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rcordeiro

‎12-11-2010 08:54 AM

Yes.

You can apply the same crypto map on both interfaces.

Also... if you have many VPN peers, they can terminate on the same crypto map as well.

If you need for example many VPN Site-to-Site tunnels, you create a single crypto map with different sequence numbers to accept all VPN connections.

Federico.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-09-2010 05:14 AM

Hi,

You can do it with the ASA's on each side.

Both ASA have two internet connections.

They will use one Internet connection as the primary link to establish the VPN to each other.

The secondary Internet connection will be used as a backup by means of a static route with higher metric to trigger the tunnel when the primary link goes down.

You need static routes and IP SLA to track the connections.

Federico.

Go to solution
rcordeiro
Level 1
Level 1
In response to rahgovin

‎12-11-2010 08:44 AM

Hi all,

Thanks for your input.

I know I can have 2 different ISP with SLA and static routes, but can I have 2 VPNs with the same crypto map?

Regards

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rcordeiro

‎12-11-2010 08:54 AM

Yes.

You can apply the same crypto map on both interfaces.

Also... if you have many VPN peers, they can terminate on the same crypto map as well.

If you need for example many VPN Site-to-Site tunnels, you create a single crypto map with different sequence numbers to accept all VPN connections.

Federico.

0 Helpful

Go to solution
rcordeiro
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-06-2011 11:07 AM

Thanks for your replys.

I'm waiting for 2 boxes in order to do some labs and test it outside real world.

Many thanks

PS: for reference to others:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/ike.html#wp1121157

0 Helpful

Go to solution
cobrien1473
Level 1
Level 1

‎04-21-2011 11:43 AM

Hi,

I was just wondering if you ever got this to work after your testing.  I am trying to do the same thing but can't seem to pass traffic on the backup (redundant) ISP connection.  The tunnel comes up but will not pass any traffic.  I am able to pass traffic with no problem when the primary ISP is up and connected through the outside interface.

Thanks!

0 Helpful

Go to solution
rcordeiro
Level 1
Level 1
In response to cobrien1473

‎04-21-2011 12:18 PM

Hi,

I never had the chance to test it because one of the firewalls I got was broken.

I still have this pending of testing but I need to get 2 ASA firewalls... and it's not easy, because I need to implement this on a customer and I don't want to go out and test it live.

Can you share your configs?

Regards

0 Helpful

Go to solution
cobrien1473
Level 1
Level 1

‎04-21-2011 02:08 PM

Thanks for the reply.

I actually just got this working.  My problem was that I created 2 separate crypto map entries with different values assigned for each peer.  I needed to just define 1 crypto map per interface (outside and backup) and add each of the ISP public IP's on the same line (the set peer command).

Once I did that everything started working fine.  I think I was creating 2 separate VPN tunnels by creating 2 different peers and the firewalls were getting confused on where to send the traffic.  The way I have it working now just creates 1 tunnel and is valid for either public IP.

In short, I can confirm this works and is a great solution in our situation!

0 Helpful

Go to solution
rcordeiro
Level 1
Level 1
In response to cobrien1473

‎04-22-2011 03:35 AM

Hi,

Glad you made it.

Can you share the configs (removing the sensitive info)?

Many thanks

0 Helpful
Customers Also Viewed These Support Documents