VPN configuration on ASA5510 with two WAN

Zigmunds Vitins · ‎07-10-2012

Hello,

I would like to find any documentation how to configure IPSEC VPN, but unsuccessfully.

At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink

Thanks.

nkarthikeyan · ‎07-10-2012

Please let me know if my understanding wrong.... You want to create a IPSEC vpn connectivity between your branch office to a data centre.... in your office you have the lan connected to two WAN links say (Link 1 and Link 2) but in data centre you have only 1 WAN link in to the outside interface of the firewall. You want to make your IPSEC vpn between branch and DC for both the links from your brach office LAN.

Zigmunds Vitins · ‎07-10-2012

Yes, that is right, I want if primary uplink in office will fail, ipsec to data center will work through backup link.

Thanks

nkarthikeyan · ‎07-10-2012

Okay... great... what kind of IPSec VPN you are going to use.. Site to Site / Client to Site... get me the detailed info on these let me try to solution you on the same.

nkarthikeyan · ‎07-10-2012

if you have any network diagram representing the same... please share that as well...

Zigmunds Vitins · ‎07-10-2012

Hello,

I woud like to use Site to Site ipsec VPN

At this moment I don't have network diagram, but it looks like this:

---primary (ext 1.1.1.1/29) uplink---

Office --- internet --- Data center (ext 3.3.3.3/29, int 192.168.0.0/24)

---backup (ext 2.2.2.2/29) uplink---

Thanks

nkarthikeyan · ‎07-10-2012

Hi Zigmunds,

The below configuration is just an example... you can try this out.... this should work as per my knowledge... pls work with this model and let me know if you get the results... hoping for a good result...

Site 1 with 2 Internet Links

=================================

Outbound Access-List

====================

access-list in-to-out extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list in-to-out extended permit if any

access-list in-to-out extended deny ip any any

!

access-group in-to-out in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_1_cryptomap2 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map_link1 10 match address Outside_1_cryptomap

crypto map Outside_map_link1 10 set peer 3.3.3.3

crypto map Outside_map_link1 10 set transform-set ESP-3DES-SHA

crypto map Outside_map_link1 interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map_link2 20 match address Outside_1_cryptomap2

crypto map Outside_map_link2 20 set peer 3.3.3.3

crypto map Outside_map_link2 20 set transform-set ESP-3DES-SHA1

crypto map Outside_map_link2 interface Outside1

crypto isakmp enable Outside1

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

pre-shared-key cisco

!

Data Centre

=============

access-list outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outbound extended permit if any

access-list outbound extended deny ip any any

!

access-group outbound in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list Outside_1_cryptomap1 extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

!

global (outside) 1

nat (inside) 2 access-list Outside_1_cryptomap1

nat (inside) 1 access-list Outside_1_cryptomap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 10 match address Outside_1_cryptomap

crypto map Outside_map 10 set peer 1.1.1.1

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco

!

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 20 match address Outside_1_cryptomap1

crypto map Outside_map 20 set peer 1.1.1.1

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco

!

Zigmunds Vitins · ‎07-10-2012

Hello,

I found that in Datacenter side in VPN configuration I have to change only one line:

crypto map 1 set peer 1.1.1.1 2.2.2.2

Is it correct?

Thanks.