Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4649
Views
0
Helpful
3
Replies

Site-to-Site VPN with dual ISP for backup/redundancy

haluochen9988
Level 1
Level 1

‎03-17-2016 08:53 PM

Hi Experts,

Is it possible to create two site-to-site VPN with dual ISP on two ASA, for backup/redundancy purpose?  

Please have a look at the attached diagram.

Company B (right) has two internet links from two different ISP terminate on its two ASA. They would like to setup two site-to-site VPN to Company A (left) on the two ASA for backup/redundancy, so if ISP-2 or ASA-2 become unavailable the VPN can fail over to the backup link (ISP-3 and ASA-3), and vice versa. 

If this is workable could you please briefly advise how to configure the ASA? Thank you very much!

Regards,

Jacky

Labels:
Preview file
39 KB
0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-17-2016 09:56 PM

Hi haluochen9988,

This is indeed possible.

Here are few documents for your reference:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html
https://supportforums.cisco.com/blog/150001

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

haluochen9988
Level 1
Level 1
In response to Dinesh Moudgil

‎03-18-2016 09:39 PM

Hi Dinesh,

Thank you for your reply. 

The examples you suggested are all using one ASA to connect to two ISP link.What I need is to use two ASA connect to two ISP link, so that the devices are also redundancy. 

How do I implement that?

Thanks again.

Regards,

Jacky

0 Helpful

Richard Bradfield
Level 6
Level 6
In response to haluochen9988

‎03-20-2016 04:05 PM

I would look at it from the remote end.

on the crypto-map configuration set 2 peers

crypto map IPSec-VPN1 20 ipsec-isakmp
set peer < Public IP address of ASA 1>                                                                                       set peer < Public IP address of ASA 2>

normally try peer1 first if fails tries peer2

Or if using tunnel interfaces for the VPNs use a combination of SLA and EEM scripts to bring up the correct tunnel.

HTH

Richard

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents