Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
3
Replies

[5510] IPSec on outside and DMZ interfaces

frederic.peng
Level 1
Level 1

‎09-27-2009 11:44 PM - edited ‎02-21-2020 04:20 PM

Hi all,

I have a little question on IPSec on ASA5510.

I want to have a L2L tunnel IPSec on both outside and DMZ interfaces with only two networks.

The VPN on the DMZ interface will be the backup of the outside.

You can see the network diagram in attachment.

Both tunnel seems to mount correctly (one at a time) but with my DMZ interface, I have not connection.

Is there an issue to solve my problem ?

Thanks a lot,

Frédéric

Labels:
Preview file
25 KB
0 Helpful
3 Replies 3

auraza
Cisco Employee
Cisco Employee

‎09-28-2009 06:54 AM

You can have tunnels on two interfaces, but you have to make sure your routing is set up to send traffic out that interface.

If you only want it as a backup, then you need to do something like IP SLA monitoring with route tracking, so when the monitor fails over one link, the route will fail over to the second link.

Similar to this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

PS. If you found this response helpful, please rate it.

0 Helpful

frederic.peng
Level 1
Level 1
In response to auraza

‎09-28-2009 07:41 AM

Hi, thanks for your reply.

In fact, I want to have both interface : Outside & DMZ.

The outside interface will only use to nat the inside to Internet and the DMZ will have the VPN.

If my ISP on DMZ failed, I want to have the VPN on my outside interface.

So sla don't answer to my problem ...

Routing seems to cause problem between the two interfaces (dmz, outside) with the same range (the inside).

Finally, i think it's not possible ... but if you have a solution ! ...

0 Helpful

auraza
Cisco Employee
Cisco Employee
In response to frederic.peng

‎09-28-2009 07:47 AM

Frederic:

Looks like it will be difficult to get that working. You could use host routes with the route tracking for the VPN networks and the VPN peer IPs, where it prefers the DMZ interface, however, when it fails, the route is removed, and everything flows out the default interface. The problem with that however, is that the site you are connecting to will need to be set up to allow dynamic connections, with DPD enabled, so it detects when the original IP is unreachable.

This is definitely a tricky solution, but it could work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents