Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
3
Replies

Two IPSEC VPNs between the same two ASAs

Go to solution
sanchezeldorado
Level 1
Level 1

‎02-09-2021 02:36 PM

Hello,

 

I have two locations. Both locations have an ASA and an internet connection and are connected via VPN. They're also connected with an MPLS connection as a backup connection to the VPN. If internet drops at one site, I can still reach the internet through the MPLS and out the other site's internet connection.

 

Each site is connected to a 3rd party vendor via IPSec VPN. I want this to be fully redundant as well, and it's been suggested that I setup two VPNs at each site to the 3rd party vendor. So four VPNs.

 

1. Site 1 to Vendor for Site 1 to Vendor traffic.

2. Site 1 to Vendor for Site 2 to Vendor traffic. (This would be a backup if Site 2's internet went down)

3. Site 2 to Vendor for Site 2 to Vendor traffic.

4. Site 2 to Vendor for Site 1 to Vendor traffic. (This would be a backup if Site 1's internet went down)

 

I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP? If so, how? If not, does anyone have any ideas of how this should be made redundant?

 

Thanks!

Andy

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-09-2021 03:16 PM

 

I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP?

No, i guess here, VPN Address required to be attached to the interface to work VPN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Tyson Joachims
Spotlight
Spotlight

‎02-09-2021 04:00 PM

You will have to use the external interface IP address as the source of both of your VPN tunnels at both sites. The only way around this that I can see would be if you had a second ISP for which you would have a second external interface IP address with them. This obviously could get expensive and the way that you're currently doing it looks really good in terms of being able to utilize the Internet of the far side if your local ISP fails for any reason.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-09-2021 03:16 PM

 

I have a /28 block of external IPs at each site. Is it even possible to setup a site to site VPN using an external IP that is not the primary external interface IP?

No, i guess here, VPN Address required to be attached to the interface to work VPN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Tyson Joachims
Spotlight
Spotlight

‎02-09-2021 04:00 PM

You will have to use the external interface IP address as the source of both of your VPN tunnels at both sites. The only way around this that I can see would be if you had a second ISP for which you would have a second external interface IP address with them. This obviously could get expensive and the way that you're currently doing it looks really good in terms of being able to utilize the Internet of the far side if your local ISP fails for any reason.

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1

‎02-09-2021 04:47 PM

Thanks guys. You each answered one of my questions. One is that it's not possible. And two that the secondary internet connection would be the only way to do that. I'll discuss the options with my client.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents