cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2456
Views
0
Helpful
3
Replies
Highlighted
Beginner

Site-to-Site VPN with dual ISP for backup/redundancy

Hi Experts,

Is it possible to create two site-to-site VPN with dual ISP on two ASA, for backup/redundancy purpose?  

Please have a look at the attached diagram.

Company B (right) has two internet links from two different ISP terminate on its two ASA. They would like to setup two site-to-site VPN to Company A (left) on the two ASA for backup/redundancy, so if ISP-2 or ASA-2 become unavailable the VPN can fail over to the backup link (ISP-3 and ASA-3), and vice versa. 

If this is workable could you please briefly advise how to configure the ASA? Thank you very much!

Regards,

Jacky

3 REPLIES 3
Highlighted
Cisco Employee

Hi haluochen9988,

This is indeed possible.

Here are few documents for your reference:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html
https://supportforums.cisco.com/blog/150001

http://networkology.net/2013/03/08/site-to-site-vpn-with-dual-isp-for-backup-redundancy/


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Highlighted

Hi Dinesh,

Thank you for your reply. 

The examples you suggested are all using one ASA to connect to two ISP link.What I need is to use two ASA connect to two ISP link, so that the devices are also redundancy. 

How do I implement that?

Thanks again.

Regards,

Jacky

Highlighted

I would look at it from the remote end.

on the crypto-map configuration set 2 peers

crypto map IPSec-VPN1 20 ipsec-isakmp
set peer < Public IP address of ASA 1>                                                                                       set peer < Public IP address of ASA 2>

normally try peer1 first if fails tries peer2

Or if using tunnel interfaces for the VPNs use a combination of SLA and EEM scripts to bring up the correct tunnel.

HTH

Richard