IPSec btw single ASA and 2 ASAs connected to different ISPs

balsheikh · ‎07-11-2007

Hi all,

the scenario as following, I have two sites assuming (A & B) in site A I have one ASA and in site B I have two ASAs serve the same internal network segments (VLANs) but each connected to different ISP from the outside interface point of view. the plan to establish IPSec tunnel btw the two sites and here the question raised, how could we configure the two ASAs in site B to be in failover only for IPSec tunnels !! or let me phrase me question in different way, how could we manage to configure a single ASA to establish IPSec tunnels with two stand alone ASAs in case the 1st one failed the other take over the responsibility to act as IPSec termination point !!

Appreciate your coordination in advanced..

Jon Marshall · ‎07-11-2007

Hi

The simplest thing to do would be to replicate you rconfiguration between the 2 standalone ASA devices and then on the single Asa under the crypto map settings you can enter 2 peer statements eg.

crypto map vpn-set 1 set peer "first ASA IP address"

crypto map vpn-set 1 set peer "second ASA IP address"

The ASA will try the peers in order.

HTH

Jon

jwalker · ‎07-12-2007

You also have to set the VPN at site A to answer only, and the two at the site B to answer only. This means, though, that site A always has to bring up the tunnel. You can make a ping script on site A to keep the tunnel up to combat this...

balsheikh · ‎07-14-2007

Hi,

To accomplish the task of setting the VPN at both sites to answer only, is it required further configuration than normal VPN IPSec parameters !!

I'm newbie to ping scribt, could u plz shed more light on this, if u have sample this will be high appreciated.

Regards,

Belal

jwalker · ‎07-16-2007

To set it to originate/answer only, use the following crypto map lines..

crypto map outside_map 20 set connection-type originate-only

crypto map outside_map 20 set connection-type answer-only

For the ping script, you may have to look on line or make it via Perl. (can't really help with that)..

***********PLEASE RATE******************

Cheers.

Jay

amitbatra · ‎07-16-2007

hi guys,

well if possible upgrade to 8.0 this will help you alot. because this was the bug or u can say limitation of 7.2 IOS in PIX or ASA u cannot specify 2 peer. or in other words backup peer for VPN. in 7.2(22) interim release this was fixed. u dont need to specify originate-only.

but 7.2(22) has some problems with remote-access VPN. u think of 8.0 which is good . and will help u in what u wanna achieve.

and in this type of VPN connectivity. diable the PFS.

hope this helps you.

regards

amit

joe.clemmons · ‎08-07-2007

So you are telling me(us) that the need to use originate-only on multiple peer crypto maps (backup peer) has been totally eliminated in 7.2(22) ? If so, then it would seem it's closer to old pix 6.3(5) code which worked(s) like a charm.

And if this is true, this would mean could run bi-directional in this scenario. That would be great !

amitbatra · ‎08-07-2007

hi,

yes my friend JOE. after 7.2(22) and 8.x works like 6.3(5) .

u can run bi-directional. no problems at all. i have tested that and working in my network.