CISCO ASA backup ISP and VPN

Unanswered Question
Oct 31st, 2008
User Badges:

we have a two ISP solution, using cisco 5505 and work fine with tracking.

(route outside 0.0.0.0 0.0.0.0 a.b.c.d 1 track 1)

We have site to site VPN and this use Primary ISP's IP.Now we need to configure the same with ISP2 IP , incase ISP1 is done, we still have VPN Link is up with backup line with ISP2.

Is this possible as destination site is just one IP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Good evening,


Yes there is a solution for this... what is the device the ASA 5505 is connecting to?


If its another ASA or a IOS router you can make the ASA 5505 a EZVPN client in network extension mode... that way you can connect the ASA to the vpn peer from either ISP 1 or 2 (depending on which one is active per the tracking).


Here is a link that explains this feature

Note: only the ASA 5505's can do EZVPN client


This link should help you get started!


-Joe


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html


Thanks!

janakamolagoda Fri, 10/31/2008 - 18:49
User Badges:

Hi Joe,

Thanks for the reply.Currently i have a site to site vpn establish through ISP 1.But in case of ISP 1 down, i have no VPN through ISP2.

So i need to configure VPN through ISP2 as well.


(In our case we have NATed ipsec traffic requested by remote datacentre)


LAN---ASA--ISP1----internet

|

--ISP2(backup)----internet


Exactly...


the ASA 5505 acting as an ezvpn client will establish a "lan-to-lan" tunnel when in "network extension mode" over either ISP 1 or 2 using the active default route to determine the pay to the ipsec peer.


You will need to config the other side as an IPSEC ezvpn server (either a PIX, ASA, or IOS router or VPN 3000 concentrator can do this).

Once the ASA 5505 connects, its private subnet will be learned and the tunnel will come up.


Read through that doc link I posted and let us know if we can be of a help. This weekend I'll have time to give out some sample configs from my security workbook if necessary.


-Joe

janakamolagoda Fri, 10/31/2008 - 20:37
User Badges:

So you mean to say, once we configure L2L using intface "outside" (IP from ISP1), we can also configure the same L2L to fall back with ISP2 for interface "backup"

--

Is it just apply

isakmp enable outside

crypto map outside_map interface outside

and

isakmp enable backup

crypto map outside_map interface backup

Actions

This Discussion