03-17-2016 08:53 PM
Hi Experts,
Is it possible to create two site-to-site VPN with dual ISP on two ASA, for backup/redundancy purpose?
Please have a look at the attached diagram.
Company B (right) has two internet links from two different ISP terminate on its two ASA. They would like to setup two site-to-site VPN to Company A (left) on the two ASA for backup/redundancy, so if ISP-2 or ASA-2 become unavailable the VPN can fail over to the backup link (ISP-3 and ASA-3), and vice versa.
If this is workable could you please briefly advise how to configure the ASA? Thank you very much!
Regards,
Jacky
03-17-2016 09:56 PM
Hi haluochen9988,
This is indeed possible.
Here are few documents for your reference:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html
https://supportforums.cisco.com/blog/150001
http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-18-2016 09:39 PM
Hi Dinesh,
Thank you for your reply.
The examples you suggested are all using one ASA to connect to two ISP link.What I need is to use two ASA connect to two ISP link, so that the devices are also redundancy.
How do I implement that?
Thanks again.
Regards,
Jacky
03-20-2016 04:05 PM
I would look at it from the remote end.
on the crypto-map configuration set 2 peers
crypto map IPSec-VPN1 20 ipsec-isakmp
set peer < Public IP address of ASA 1> set peer < Public IP address of ASA 2>
normally try peer1 first if fails tries peer2
Or if using tunnel interfaces for the VPNs use a combination of SLA and EEM scripts to bring up the correct tunnel.
HTH
Richard
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide