Tunnel redundancy between PIX and ASA

Unanswered Question
Aug 1st, 2008

I have a PIX506E running version 6.3.x in a branch office and an ASA at the central site running version 7.2.x. We have installed a second ISP at the central site and we'd like to configure a backup/redundant tunnel from the branch office to the central site, through the new ISP. Is it possible? Does anyone have any document with a config exemple?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Fri, 08/01/2008 - 06:00

Assign any one IP address from the new provider's block to another interface on the ASA. Assign the same crypto map to it. Then add a second 'set peer' command on the branch office (Based on this new public IP).



jsol Sat, 08/02/2008 - 09:23

The problem is that, due to network topology, I have to terminate the secondary tunnel to the same ASA's interface. It enters the central site via a different ISP (new public IP) and via NAT is translated to the ASA's outside interface. Do you think it's possible? This is because between the external routers and the ASA, we have a load balancer and a CheckPoint firewall, and all external traffic should pass through it.



Farrukh Haroon Sat, 08/02/2008 - 11:55

Well if the network topology forces you to use the same physical interface, why don't you make logical interfaces? What is the role of the load balancer?




This Discussion