cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6527
Views
3
Helpful
15
Replies

Site-to-site IPsec VPN, ASA to IOS, redundant ISP's

rfera
Level 1
Level 1

Greetings,

Site A has an ASA 5510 and a single internet connection.

Site B has two internet connections (primary and backup).

If Site B also has an ASA, I can configure Site A's ASA to deal with a failover at Site B (set peer 1.1.1.1 2.2.2.2). Does this work if Site B has an IOS router instead of an ASA? In other words will "set peer 1.1.1.1 2.2.2.2" on the ASA work when it's talking to IOS on the other end? I have not been able to find a definite answer to this question anywhere...

Thanks!

Bob

15 Replies 15

david.tran
Level 4
Level 4

there is a very simple solution to this:  do NOT use ASA for site-to-site VPN, use Cisco IOS instead.

On site B, use Cisco IOS router, create a loopback interface with a public IP address, make sure that the loopback interface is reachable over the Internet by the ASA at site A.  Set up your VPN at site B using the loopback interface.

That way, the VPN is independent of the Primary or Backup Internet connections. 

Your VPN will work regardless whether the Primary or Backup connections is active.

Easy right?

Interesting thought, but it requires that the loopback address be accessible via either ISP, which isn't an option I have in this case. I need to do it with two separate IP addresses.

Thanks,

Bob

Julio Carvajal
VIP Alumni
VIP Alumni

Hello David,

Great answer and 100 % useful

But to add to Robert. Yes, it will work because as long as you have crytpo isakmp enabled on the outside interface of the ASA, it will try to setup the VPN to it's peers. So if the primary on site B is up the VPN will be built between those 2.

If the secondary is up and the primary not then the VPN will flow to the secondary.

That's another option as well.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Your option will work BUT you will experience a brief outage. 

With my recommendation, there will be NO outage because as long as the loopback interface of the router at site B is reachable, the VPN will never go down.

I really don't understand why people keep using ASA for site-to-site VPN termination.  The ASA is NOT designed for that kind of thing.  Cisco IOS is.

Hello David,

Agree with you!

I was just pointing a different option.

Now regarding the second statement

"The ASA is NOT designed for that kind of thing.  Cisco IOS is." I disagree on that, I think the ASA is good on many things! One of them the VPN and that's for sure.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

"ASA is good on many things! One of them the VPN and that's for sure."

Here is a list of what ASA can not do, just to name a few:

-terminate both GRE/IPSec on the ASA (mutocast over the VPN tunnel)

-DMVPN (spoke to spoke over the VPN, multicast, etc)

-getVPN (stateless VPN)

-VTI,

-very complex VPN scenarios

Now tell me one thing about VPN that ASA can do but IOS can not

See my reply from earlier today. :-) I, for one, certainly agree with you that IOS can do more. But is there a solution to the NAT problem I described? (See https://supportforums.cisco.com/thread/2172082 and https://supportforums.cisco.com/message/3749650#3749650) If the IOS device is both a VPN endpoint and a firewall and you have overlapping addresses on the private lans you are apparently screwed. Unless there is an answer that I have been unable to find, of course... :-)

Regards,

Bob

I am sure there is a work around for this.  However, I am working for "free" so I am not putting in too much time about this issue at the moment because I don't have a requirements for it yet.

Why don't you open a TAC with Cisco?  That's what support is for right?

Hello David,

Just by saying the troubleshooting options the ASA provide you to any feature (including VPN) makes it a top option for VPN purposes.

The flexibility that the ASA provides you,etc.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok, name a specific utilities that ASA provided that Cisco IOS can not?

You realized that Cisco IOS also has Embeded Capture Packet (ECP) module as well right?

so educate me on a troubleshooting tool where ASA is superior over Cisco IOS

by you saying "The flexibility that the ASA provides you,etc"  ASA can not do

-terminate both GRE/IPSec on the ASA (mutocast over the VPN tunnel)

-DMVPN (spoke to spoke over the VPN, multicast, etc)

-getVPN (stateless VPN)

-VTI,

-very complex VPN scenarios

Is that what you called flexibility?  Am I missing something?

Hello David,

ECP.. Of course I know what that is, but let me tell you the packet capture on the ASA is way more easy to use ( Way more flexible to check it, to download it, to build it ).

The ASP capture of the ASA Another point to the ASA.

And finally the allmigthy Packet-tracer of the ASA   I would give 10 points for that.

Anyway.. nice debate but is Friday night and I hope you 2 have a wonderful weekend as I will.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK, good to know that ASA-to-IOS should work with two addresses at the IOS end. Other documents I have read say it works only when talking to another ASA. I guess I have to test it...

One problem with IOS and site-to-site VPN's... If you're using the IOS router as both your VPN endpoint and your internet access firewall AND you have an IP address overlap with the remote VPN end, there appears to be no way to get IOS to "static network" NAT only the VPN traffic and PAT/overload the internet traffic. With ASA it is easy. See these threads:

https://supportforums.cisco.com/thread/2172082

https://supportforums.cisco.com/message/3749650#3749650

Regards,

Bob

eileenr
Level 1
Level 1

Were you ever able to get this to work?  I am trying something similar and it's not working.  I have an ASA at a remote site configured with 2 peers, both IOS routers.  When the first goes down, the ASA tries to set up the VPN to the second router, but I get the following messages in the log -

*Nov 16 15:30:28.577 UTC: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x.   was not encrypted and it should've been.

*Nov 16 15:30:28.577 UTC: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x    was not encrypted and it should've been.  Any ideas?

Unfortunately I have not had an opportunity to try it, though I should in the next few weeks. All I can say at this point is that after my last post to this thread I opened a ticket with Cisco and asked the same question. The engineer assured me that ASA-to-IOS VPN with multiple ISP's at the IOS end will work. That's all I've got at this point. Sorry for not having more info...

Please post if you find out anything more. :-)

Regards,

Bob