ASA Backup VPN

Unanswered Question
Jan 22nd, 2009
User Badges:
  • Silver, 250 points or more

Hi Guys,

tried having a look on these forums but i coul;d not find an answer.

I am looking to configure a single ASA with a primary and backup/ redundant VPN.

The VPN remote endpoints will be a Cisco 3825 IOS router. I am aware of the

crypto map map-name seq-num set connection-type originate-only command and specifiy a number of Endpoints. But it appears this only works asa-asa.

I have also tried this to no avail

crypto map outside_vpn 11 match address VPN-TO-CUSTA

crypto map outside_vpn 11 set peer CUSTA_ENDPOINT_A

crypto map outside_vpn 11 set transform-set strong

crypto map outside_vpn 12 match address VPN-TO-CUSTA

crypto map outside_vpn 12 set peer CUSTA_ENDPOINT_B

crypto map outside_vpn 12 set transform-set strong

bear in mind that the remote endpoints are different IPs on differet boxes.

Can someone help me here.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Thu, 01/22/2009 - 10:55
User Badges:
  • Cisco Employee,

You need to create an SA from public ip of ASA to RouterA and public ip of ASA to RouterB to make this work, tunnel should be set to Originate only on your ASA. On your routers, you also need to define an SA fro public of routerA to ASA public, and from Public of RouterB to ASA too (SA=Crypto ACL) as far as I remember this is what you need, since ASA creates SA's to the peers as soon as you have the originate only setup. Another ASA will do it automatically but with routers you need to do it manually.


This Discussion