01-25-2010 01:30 AM
I want to utlise the backup ISP features of the ASA 5505 using the article here:-
I guess that at the other end I will need to crete a site to site network based on the ASA Hostname as opposed to IP addresses, so that it will accept incoming VPN link regardless of which link.
Is there anything else I need to be aware of?
01-25-2010 01:16 PM
In site to site VPN tunnel we never do with the name of the device, it needs to be configured with the ip address of the interface.
On remote sites you need to configure both interface ip addresses as peers.
Example
crypto map mymap 30 set peer 1.1.1.1 1.1.1.2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.2 type ipsec-l2l
say 1.1.1.1 and 1.1.1.2 are the Primary and backup interface ip addresses.
Make sure you have dpd enabled on devices.
aarti
01-26-2010 01:26 AM
Thank you for that.
What if there are backup connections at each site?
e.g
Remote Site - isp connections (say) 1.1.1.1 & 1.1.1.2
Main Office - 2.1.1.1.1 2.1.1.2
As I understand it you can set multiple peers on orignate only connections and not answers.
So.
Set up would work
Remote Site - Using 1.1.1.1 as the ISP (primary connection) - you could set up 2.1.1.1 2.1.1.2 as the peer (as your example)
But.. if 1.1.1.1 goes down and switched across to 1.1.1.2 the main office will not answer as it see it coming from the wrong ip address. Is that correct?
So how do I get this to work so that the VPN still works if it comes from 1.1.1.1 or 1.1.1.2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide