Unanswered Question
Jul 17th, 2008
User Badges:


I need to replace my checkpoint by an ASA 5520 as vpn concentrator and install a secondary asa on a new site with a mlps link between them , no need of vpn L2L.

I have also 10 remotes sites to migrate with vpn-1 edge Checkpoint, I keep it.

I known that I can use a secondary peer in case of failure of primary asa, but can I use "router route injection " to advertise the new L2L network from main asa or backup.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Daniel Voicu Thu, 07/17/2008 - 05:58
User Badges:
  • Silver, 250 points or more


Yes, you can use RRI, and then advertise the remote IPs in your routing protocol.

crypto map set reverse-route

However, there is a more simple way.

Just configure different IP pools on each ASA.

When the users connects to one ASA will get one set of IPs and when it connects to the secondary will have another set of IPs.

This way you can use static routing for reverse traffic.

Reverse traffic for the first pool will be sent to first ASA, the traffic for the second pool will be sent to secondary ASA.

Please rate if this helped.



eric.loiseau Thu, 07/17/2008 - 06:51
User Badges:


I use L2L and I don't want to use differents ranges of IP, and my remote site use Checkpoint vpn-1 edge.


Daniel Voicu Thu, 07/17/2008 - 07:47
User Badges:
  • Silver, 250 points or more


You can use the ASA in cluster (failover) mode, but that means they need to be in the same VLANs.



This Discussion