Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
2
Replies

Two s-t-s tunnels to same network - asa

srdjankatic
Level 1
Level 1

‎09-02-2013 07:05 AM

  Hi,

i am configuring VPN solution between  3 sites. Site A is remote office that connects to HQ office witch is site B.

Site C is disaster recovery site that connects by L2VPN to site B (HQ) so they are in same network/subnet and i threat them as single site from the VPN routing point of view. Each site has it's own asa appliance.

Can i create to VPN tunnels to same remote subnet (site B and site C are in the same subnet) and tell ASA to use one of those tunnels as primary?

What is your opinion for solutioning this kind of VPN, how would you do it?

Please see attach for info.

Tnx,

Srdjan

Labels:
Preview file
15 KB
0 Helpful
2 Replies 2

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-02-2013 03:31 PM

Hi,

If you do not need both the tunnel active at the same time and want to use them as primary and back up you need only one crypto map on the ASA and add both the IP as primary and back up.

Forexample.

On Site B and C you will have the normal site to site VPN configuration.

On site A you need to do the following:

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

crypto map outside_map 10 set transform-set VPN

crypto map outside_map 10 set peer x.x.x.x (site B) x.x.x.x (site C)

crypto map outside_map 10 match address vpn

crypto map outside_map interface outside

tunnel-group x.x.x.x (IP of site B) type ipsec-l2l

tunnel-group x.x.x.x (IP of site B) ipsec-attribute

pre-share-key cisco123

tunnel-group x.x.x.x (IP of site C) type Ipsec-l2l

tunnel-group x.x.x.x (IP of site C) ipsec-attribute

pre-share-key cisco123

So in short you need to create only one crypto map on site A and define the IP address of Site B and C as peer.

And create 2 tunnel-group with the same pre-shared key.

SO which ever IP you will use first in the set peer command will become primary and other will become back-up.

I hope this answers your question. Please let me know if you have any other question.

Thanks

Jeet Kumar

0 Helpful

srdjankatic
Level 1
Level 1
In response to Jeet Kumar

‎09-03-2013 02:22 AM

Hi,

Thank You for reply, i will try this in few days on site and let You know is it working.

Tnx again,

Srdjan

0 Helpful
Customers Also Viewed These Support Documents