11-04-2007 03:06 AM - edited 03-03-2019 07:24 PM
Hi, I'm just wondering if this is possible or what other choices I have.
I have many 800 and 1800 series routers in small offices that are in VPN mode that connect to a Cisco concentrator.
We have a Cisco Pix firewall (soon to upgrade to a ASA 5520 hopefully) and I was wondering if the Cisco Concentrator failed could I configure the routers to point to our Cisco pix if I configured the Pix with site-to-site VPN's?
Thanks
Solved! Go to Solution.
11-04-2007 08:14 PM
Andy
More like this:
crypto isakmp key mypassword address 1.2.3.4
crypto isakmp key mypassword address 1.2.3.5
crypto map My_Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4
set peer 1.2.3.5
HTH
Rick
11-04-2007 03:42 AM
Andy
It should be possible to have the remote sites configure their VPN to specify 2 peers, first the concentrator and then the ASA. In this configuration the remote would attempt to establish a VPN session with the concentrator and if that failed it would establish a VPN session with the ASA.
HTH
Rick
11-04-2007 05:01 AM
Hi Rick, thanks great! Below I have part of a config, is this the peer part? Also do I just add the 2nd peer after for it to go in order of which peer to use first?
Just need an example to picture what you are saying :)
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key mypassword address 1.2.3.4
!
!
crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac
!
crypto map My_Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set My_T_Set
match address 101
!
ip cef
!
!
11-04-2007 07:54 AM
You can configure IPSEC prefered peer as the concentrator and the pix as the backup peer along wwith DPD (dead pair detection)
Have a look at these links
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_ipspp.htm
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806c2875.html
But in all these cases the VPN to the pix will come up when the primary fails but the tunnel would not establish back to the Concentrator once it comes up. You need to manually clear the crypto SA to achieve this
HTH
Narayan
11-04-2007 08:01 AM
Andy
Yes. The peer is referenced in 2 places (and you got both of them): the peer is referenced in defining the preshared key and the peer is referenced in the crypto map set peer statement. Just add the address of the ASA and it should be fine.
HTH
Rick
11-04-2007 08:35 AM
Thanks, would it be something like this?
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key mypassword address 1.2.3.4 1.2.3.5
!
!
crypto ipsec transform-set My_T_Set esp-3des esp-md5-hmac
!
crypto map My_Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4 1.2.3.5
set transform-set My_T_Set
match address 101
!
ip cef
!
!
11-04-2007 08:14 PM
Andy
More like this:
crypto isakmp key mypassword address 1.2.3.4
crypto isakmp key mypassword address 1.2.3.5
crypto map My_Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4
set peer 1.2.3.5
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: