Redundant Site to Site VPN Pix/ASA

Answered Question
Feb 1st, 2008
User Badges:

Hi All,


I have a site which has two peer endpoints and wants one of them to be redundant. I know it's possible to configure on the crypto map more than one peer.

Is there a configuration feature like dpd available on the pix/asa? The version running on the pix is 7.2.3.


TIA


Jack

Correct Answer by acomiskey about 9 years 2 months ago

See here under usage guidelines...


http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090


connection type needs to be originate-only as well, which means the far end must be answer-only.


I also don't think you need to create separate tunnel groups, but I could be wrong.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jackwikinski Fri, 02/01/2008 - 08:50
User Badges:

Hi,


Thanks for your answer.


In essence my config should look someting like this:


crypto map match address 101

crypto map pix set peer peer one

crypto map pix set peer peer two

crypto map set transform-set myset



tunnel-group peer 1 type ipsec-l2l

tunnel-group peer 1 ipsec-attributes

isakmp keepalive 10 2


tunnel-group peer 2 type ipsec-l2l

tunnel-group peer 2 type ipsec-attributes

isakmp keepalive 10 2


Thanks.


Jack.

Actions

This Discussion