Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
5
Replies

ASA With 2 L2L Tunnels To Same Site/Same Network

Go to solution
macmad
Level 1
Level 1

‎02-25-2010 12:26 PM

I have an ASA  5510 at Site A with a L2L tunnel to another site, Site B. Single subnet at each site. In a few weeks we will be adding a second

Internet connection to Site B, so both connections will be active. But we want traffic to go over the new connection unless it goes down, then use the other. How do I set that up on the ASA so it doesn't get confused as to which tunnel to take to get to the Site B subnet? Can this be done?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to macmad

‎02-25-2010 01:36 PM

If ASA on Site B is going to have two different interfaces terminating the VPN, then on Site A you define two peers (one preferred).

i.e.

cry map mymap 10 set peer 1.1.1.1 2.2.2.2

Assuming that 1.1.1.1 is the ASA's Site B first public IP and 2.2.2.2 is the ASA's Site B second public IP.

The ASA at Site A will attempt to establish the tunnel to 1.1.1.1 first and if it fails, it will try 2.2.2.2

On Site B, the ASA should have the crypto map on both interfaces.

You can set the Site B ASA to originate the tunnel and the ASA on Site A to receive.

Federico.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-25-2010 01:20 PM

Hi,

Yes you can do that with routing.

You set up a preferred route for the preffered ISP and then a second route in case the primary ISP fails.

If the ASA at Site B has only a single outside interface terminating the tunnel, that's all you need to do.

If the ASA is going to terminate both ISP connections on different interfaces, then you need to apply the crypto map to both interfaces on ASA Side B and have the ASA on Side A pointing to the primary IP as the first option in the crypto map and secondary option for the other ISP.

Federico.

0 Helpful

Go to solution
macmad
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2010 01:28 PM

Hi Federico,

Thanks for the reply! So on site A crypto map I can specify the primary address to use to get to Site B and if that's not reachable it will try a secondary address? What is the crypto map command to do that?

Thanks!!

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to macmad

‎02-25-2010 01:36 PM

If ASA on Site B is going to have two different interfaces terminating the VPN, then on Site A you define two peers (one preferred).

i.e.

cry map mymap 10 set peer 1.1.1.1 2.2.2.2

Assuming that 1.1.1.1 is the ASA's Site B first public IP and 2.2.2.2 is the ASA's Site B second public IP.

The ASA at Site A will attempt to establish the tunnel to 1.1.1.1 first and if it fails, it will try 2.2.2.2

On Site B, the ASA should have the crypto map on both interfaces.

You can set the Site B ASA to originate the tunnel and the ASA on Site A to receive.

Federico.

0 Helpful

Go to solution
macmad
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-25-2010 01:41 PM

Perfect, thanks!!

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-02-2011 01:40 PM

Glad I could help.

Thank you Diane :-)


Federico.

0 Helpful
Customers Also Viewed These Support Documents