Site to Site VPN using ASA behind dual WAN router with ip sla failover

stefpiazza · ‎08-31-2011

hello, I have a remote office with a dual WAN router (2911) in front of an ASA (5510). Our main office currently has an ipsec site to site vpn to that remote office ASA. The router has two ISPs. ISP-A is the wan link used for the site to site and has provided us with a /28 public address space which we use on the ASA outside interface for the site to site. Now we are in the process of getting a second ISP which will also provide a /28 or /29 public address space. I would like to use that second ISP for backing up the site to site in case ISP-A link goes down. I think I have the IP SLA config worked out. My question involves NAT. On the router I would like to configure a static nat that only takes place if ISP-A goes down. In other words, if everything is working fine, then the router does not nat the ASA outside address, but if the ISP-A link goes down, then the router will NAT the ASA outside address to one of ISP-B provided public addresses. Is this possible? thanks in advance

Federico Coto Fajardo · ‎08-31-2011

Hi,

I believe you're referring to conditional NAT (route-maps) on IOS or Policy NAT on ASAs.

I don't see why it can't be done from what you described.

You mind sharing a quick drawing so we can help you out further?

Thank you,

Federico.

stefpiazza · ‎09-01-2011

Hello Federico and thanks for replying. Here is a diagram of what I am trying to accomplish.

In this example, the remote office ASA has an outside public address , 1.1.1.10 , provided by ISP-A and this is the primary peer address used by the main office ASA for the site to site vpn config. Now on the remote office internet router I plan on configuring IP SLA to track ISP-A's status. If ISP-A is determined to be down, then I would like to configure the remote office internet router to NAT the ASA's outside address behind another public address provided by ISP-B (example: 2.2.2.10) and this would be the backup peer address configured on the main office ASA.

Please let me know if you need any more info that I might have left out. thanks again.

Sundeep Dsouza · ‎11-24-2011

Hi,

Did you manage to fulfill your dual ISP site to site vpn requirement?

Regards

stefpiazza · ‎11-30-2011

Hello Sundeep, yes I was able to get this working. One ISP is the primary link for regular web traffic and the other ISP is the primary link for the site to site VPN connections. Each link, via IP SLA, backs up the other in the event of ISP failure. The web failover config was straightforward and has been implemented in production. The site to site failover involved a little more testing and will be implemented to production soon. Basically, for the main office, you just need to add the backup peer to the site to site config.On the remote office internet router, the IP SLA config needs to be implemeted for the site to site traffic . Then a new NAT statement needs to be configured which would NAT the ASA's outside ip address to one of the web ISP public addresses. The NAT only takes affect after the site to site traffic gets routed over (via IP SLA/tracking) to the backup ISP interface. As long as NAT Traversal is turned on, (which it is by default) then the site to site should be back up on the backup link once the primary site to site link goes down. hopes this helps.

regards, Stefano

andygcs11 · ‎11-29-2011

I'm also trying to implement a similar configuration and would be very interested in your progress.

stefpiazza · ‎11-30-2011

hello Andrew, please see above reply. thanks.

regards, Stefano