ASA5505 configure VPN Primary and Backup

Answered Question
Aug 3rd, 2008
User Badges:

Dear Expert,


I would like to ask you some question that now i'm not clear about VPN do Primary and backup connection, How can we do on this is sue? ( i mean that when the primary down, then connection backup is up automatically)

Could you advice me how can i do it?


Best Regards,

Rechard_hk

Correct Answer by Marwan ALshawi about 8 years 10 months ago

i liked JORGE sugesstions


but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way

that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic

whil in my oinoin if u follow the i have given to

u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN

in other words it like two in one

u have two active firewall on that site

aslo u have abckup vpn device for VPN tunnels


again JORGE sugestion great and professional


good luck


and Please, if helpful Rate

Correct Answer by JORGE RODRIGUEZ about 8 years 10 months ago

I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.


I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.


Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.


Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.


Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.


Example of active/standby

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml


ASA comparison - Look into Ipsec plus license and features.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


Rgds

Jorge


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Marwan ALshawi Sun, 08/03/2008 - 18:40
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

is it site to site VPN


and do both have the same LAN behind them ?

and mean to network behind them the same IPs or deffrent


if they have the same private network behind them

what i suggest you to do is to creat another tunnel group for the backup vpn

and in the

crypto map FWMAP 10 match address 101

crypto map FWMAP 10 set peer 192.168.6.2


here the ip address represent ur primary VPN


crypto map FWMAP 20 match address 101

crypto map FWMAP 20 set peer 192.168.6.5


here the ip address represent the backup vpn peer

notice that the map name the same but the sequence number is higher

so the ASA will try thirt map with number 10

if not successful will go to number 20


aslo in the above config i asume that both remote peer the primary and backup have the same LAN whtch match with ACL 101 in the above config

dont forget to make a separte L2L tunnel gorup for the back up vpn peer and tunnel-group ipsec then put the shared ky for the backup peer


brifly it is like u defining two vpn site to site

but u gonna make their map the same map with deffrent sequence number


good luck


Please, ifhelpful Rate

rechard_hk Sun, 08/03/2008 - 19:53
User Badges:

Dear marwanshawi,


Thanks you for you advice :)


ok, i understood that command that you gave me, could i ask you again !!!

1-During dual ISP up so all the traffic through out both with dual ISP or not?

if the traffic through out how can we know which client go to ISP1 and other client go to ISP2?


Best regards,

Rechard_hk


Marwan ALshawi Sun, 08/03/2008 - 20:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the above config regarding primary and backup ASA vpn

about ISP use it is now related to how to route ur traffic are you load balncing or loadsharing the traffic or use it in active and back up manner

u can also control ur users to prefer on link over other throuh the default route


lets say ISP u go to it through ip 1.1.1.1 and ISP 2 through 2.2.2.2


route outside 0 0 1.1.1.1

route outside 0 0 2.2.2.2 5


so all the traffic will go through ISP one

once the ISP1 down the traffic will flow trough ISP2


please, Rate if helpful

JORGE RODRIGUEZ Sun, 08/03/2008 - 18:41
User Badges:
  • Green, 3000 points or more

You could acomplish this through Active/Standby configuration and enable stateful configuration for this to work. Unfortunately the ASA5505 does not support stateful, you still can have Active/Standby with dual ISP as a backup link but if primary ASA5505 fails standby takes over but will not carry stateful traffic, that is VPN traffic, VPN tunnels will require reconentions.


HTH

Jorge

rechard_hk Sun, 08/03/2008 - 20:02
User Badges:

Dear Jorgemcse,


Thanks you for your advice :)


could you let me know about Active/Standby on ASA i'm not clear, so Active/Standby can do only one box or have to two have box?

possible or not when i have only one box for do Active/Standby?

one more i have problem on ASA 5505,

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled


on interface vlan1 and vlan2 i can create but when i create one more interface vlan3 it not allow, what is going on? and how can i do it ?


I mean i want create Wan,Lan and DMZ..

Best regards,

Rechard_hk

Correct Answer
JORGE RODRIGUEZ Sun, 08/03/2008 - 20:58
User Badges:
  • Green, 3000 points or more

I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.


I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.


Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.


Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.


Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.


Example of active/standby

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml


ASA comparison - Look into Ipsec plus license and features.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


Rgds

Jorge


Correct Answer
Marwan ALshawi Sun, 08/03/2008 - 21:26
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i liked JORGE sugesstions


but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way

that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic

whil in my oinoin if u follow the i have given to

u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN

in other words it like two in one

u have two active firewall on that site

aslo u have abckup vpn device for VPN tunnels


again JORGE sugestion great and professional


good luck


and Please, if helpful Rate

rechard_hk Wed, 08/06/2008 - 23:24
User Badges:

Dear Jorge,


Thanks you for your advice.


Best Regards,

Rechard_hk

rechard_hk Mon, 08/11/2008 - 01:25
User Badges:

Dear Jorge,


Sorry for disturb you again.....

So i'm not clear one line when we sho ver.

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0


on comand (VLANs : 3, DMZ Restricted) it show tell Vlans :3 but i can create two VLAN what is wrong?


Best Regards,

Recahrd_hk

JORGE RODRIGUEZ Mon, 08/11/2008 - 08:27
User Badges:
  • Green, 3000 points or more

Recahrd_hk,


You should have already Vlan1 posibly as your inside interface, Vlan2 as outside interface. You should be able to create 3rd VLAN.


e.i

say you need to create vlan100 with sec level 50

for 10.10.10.0/24 network


interface Vlan100

no forward interface Vlan1

nameif test

security-level 50

ip address 10.10.10.1 255.255.255.0


then allocate a port on ASA builtin switch


interface Ethernet0/4

switchport access vlan 100

no shutdown


nat (test) 1 0.0.0.0 0.0.0.0




Rgds

Jorge

rechard_hk Fri, 08/15/2008 - 03:14
User Badges:

Dear Jorgemcse,


i still got the problem when i type this command it will show as bellow:

Branch(config)# int vl

Branch(config)# int vlan 100

Branch(config-if)# ip add 50.50.50.50 255.255.255.0

Branch(config-if)# no shut

Branch(config-if)# nameif star

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.


could you let me now how can i do?


Best Regards,

rechard_hk

JORGE RODRIGUEZ Fri, 08/15/2008 - 11:03
User Badges:
  • Green, 3000 points or more

Rechard,


I believe you may be bound to the Base license , I have in my lab a ASA5505 with Sec Plus license so I could not test your scenario properly. Reading a bit further on License specs for the ASA5505 to understand what it means VLANs : 3, DMZ Restricted it seems that the 3rd VLAN may be a DMZ based on Table-3-1 in bellow link but I could be wrong , try using nameif DMZ if it does not work I would suggest to upgrade license to security plus , the part number is ASA5505-SEC-PL. With Sec plus all ASA5505 features will be unlocked, I find this base license or 50 user license etc.. none-sense but thats the way it is.


Table 3-1 License Restrictions on Active VLANs

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/vlans.html#wp1101628



ASA Licenses

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html


ASA 5505 Complete specs

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



Let me know how it works out.



Rgds

Jorge



Actions

This Discussion