12-12-2010 10:24 AM - edited 02-21-2020 05:01 PM
HI everyone,
I have total 6 ASA 5505, i already built failover with dual isp. Now i want to configure site 2 site VPN for all 3 sites. Each site has 2 firewall.
I just built a config for site 2 site VPN here is the config for one site.
local ip: 172.16.100.0
pubic ip: 10.5.1.101, 10.6.1.101
remote local ip: 172.16.101.0
remote public ip: 10.3.1.101, 10.4.1.101
remote local ip: 192.168.0.0
remote public ip: 10.1.1.101, 10.2.1.101
tunnel configuration on First 2 firewall:
access-list vpn1 permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list backupvpn1 permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list vpn2 permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list backupvpn2 permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 172.16.100.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 172.16.100.0 255.255.255.0 192.168.0.0 255.255.255.0
!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
!
!
!
crypto ipsec transform-set my-set1 esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn1
crypto map outside_map 1 set peer 10.3.1.101
crypto map outside_map 1 set transform-set my-set1
crypto map outside_map interface outside
!
!
crypto map outside_map 2 match address backupvpn1
crypto map outside_map 2 set peer 10.4.1.101
crypto map outside_map 2 set transform-set my-set1
crypto map outside_map interface backup
!
!
!
crypto ipsec transform-set my-set2 esp-3des esp-sha-hmac
crypto map outside_map 3 match address vpn2
crypto map outside_map 3 set peer 10.1.1.101
crypto map outside_map 3 set transform-set my-set2
crypto map outside_map interface outside
!
!
crypto map outside_map 4 match address backupvpn2
crypto map outside_map 4 set peer 10.2.1.101
crypto map outside_map 4 set transform-set my-set2
crypto map outside_map interface backup
!
!
!
tunnel-group 10.3.1.101 type ipsec-l2l
tunnel-group 10.3.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.4.1.101 type ipsec-l2l
tunnel-group 10.4.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.1.1.101 type ipsec-l2l
tunnel-group 10.1.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.2.1.101 type ipsec-l2l
tunnel-group 10.2.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
mtu backup 1500
if this correct than what should i configure on other side i mean complete opposite to this. Is my crypto map address name vpn1 should match on other side or not???
any suggestion is good........
thanks...
Solved! Go to Solution.
12-12-2010 02:19 PM
What I mean with routing is that either with a routing protocol or static routes the ASA can choose between interfaces to establish the tunnel.
If the ASA has the crypto map applied to two interfaces, then one should be used as primary and the other as backup.
How will the ASA choose which one is preferred? Via routing.
If using a routing protocol, the ASA will known which interface to send the packets out each time, but if using static routes you need to modify the metric and configure IP SLA.
Federico.
12-12-2010 01:42 PM
Hi,
The interesting traffic on the other side should be a mirror of this side.
The crypto map name does not need to match on the other end.
When you need multiple peers, you use a unique crypto map name with several instances (as you have it).
The other important part is the routing.
The routes will decide which interface to use to negotiate the tunnel and fallback to the backup.
Federico.
12-12-2010 02:08 PM
Thanks for reply
My other side Config is like this way.......i just want to know where i need routing!!!!
local ip: 172.16.101.0
pubic ip: 10.3.1.101, 10.4.1.101
remote local ip: 172.16.100.0
remote public ip: 10.5.1.101, 10.6.1.101
remote local ip: 192.168.0.0
remote public ip: 10.1.1.101, 10.2.1.101
tunnel configuration on Firewall 3 to 4 Union:
access-list vpn1 permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list backupvpn1 permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list vpn3 permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list backupvpn3 permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 172.16.101.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list nonat permit ip 172.16.101.0 255.255.255.0 192.168.0.0 255.255.255.0
!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
!
!
!
crypto ipsec transform-set my-set1 esp-3des esp-sha-hmac
crypto map outside_map 1 match address vpn1
crypto map outside_map 1 set peer 10.5.1.101
crypto map outside_map 1 set transform-set my-set1
crypto map outside_map interface outside
!
!
crypto map outside_map 2 match address backupvpn1
crypto map outside_map 2 set peer 10.6.1.101
crypto map outside_map 2 set transform-set my-set1
crypto map outside_map interface backup
!
!
!
crypto ipsec transform-set my-set3 esp-3des esp-sha-hmac
crypto map outside_map 5 match address vpn3
crypto map outside_map 5 set peer 10.1.1.101
crypto map outside_map 5 set transform-set my-set2
crypto map outside_map interface outside
!
!
crypto map outside_map 6 match address backupvpn3
crypto map outside_map 6 set peer 10.2.1.101
crypto map outside_map 6 set transform-set my-set3
crypto map outside_map interface backup
!
!
!
tunnel-group 10.5.1.101 type ipsec-l2l
tunnel-group 10.5.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.6.1.101 type ipsec-l2l
tunnel-group 10.6.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.1.1.101 type ipsec-l2l
tunnel-group 10.1.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.2.1.101 type ipsec-l2l
tunnel-group 10.2.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
mtu backup 1500
other side tunnel i configured like this way so thats all i need to configure on firewall or i need anything else to work.
12-12-2010 02:19 PM
What I mean with routing is that either with a routing protocol or static routes the ASA can choose between interfaces to establish the tunnel.
If the ASA has the crypto map applied to two interfaces, then one should be used as primary and the other as backup.
How will the ASA choose which one is preferred? Via routing.
If using a routing protocol, the ASA will known which interface to send the packets out each time, but if using static routes you need to modify the metric and configure IP SLA.
Federico.
12-12-2010 02:30 PM
got it......
Thanks...for your help..
Did you see my config in last post is that right or not? this config is the last config on other two firewall...so plz tell me did i configure right or wrong?
local ip: 192.168.0.0
pubic ip: 10.3.1.101, 10.4.1.101
remote local ip: 172.16.100.0
remote public ip: 10.5.1.101, 10.6.1.101
remote local ip: 172.16.101.0
remote public ip: 10.3.1.101, 10.4.1.101
tunnel configuration on Firewall 5 and 6:
access-list vpn2 permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list backupvpn2 permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list vpn3 permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list backupvpn3 permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.101.0 255.255.255.0
!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
!
!
!
crypto ipsec transform-set my-set2 esp-3des esp-sha-hmac
crypto map outside_map 3 match address vpn2
crypto map outside_map 3 set peer 10.5.1.101
crypto map outside_map 3 set transform-set my-set2
crypto map outside_map interface outside
!
!
crypto map outside_map 4 match address backupvpn2
crypto map outside_map 4 set peer 10.6.1.101
crypto map outside_map 4 set transform-set my-set2
crypto map outside_map interface backup
!
!
!
crypto ipsec transform-set my-set3 esp-3des esp-sha-hmac
crypto map outside_map 5 match address vpn3
crypto map outside_map 5 set peer 10.3.1.101
crypto map outside_map 5 set transform-set my-set3
crypto map outside_map interface outside
!
!
crypto map outside_map 6 match address backupvpn3
crypto map outside_map 6 set peer 10.4.1.101
crypto map outside_map 6 set transform-set my-set3
crypto map outside_map interface backup
!
!
!
tunnel-group 10.5.1.101 type ipsec-l2l
tunnel-group 10.5.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.6.1.101 type ipsec-l2l
tunnel-group 10.6.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.3.1.101 type ipsec-l2l
tunnel-group 10.3.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 10.4.1.101 type ipsec-l2l
tunnel-group 10.4.1.101 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
mtu backup 1500
just wana now did i need any more configuration or not????
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide