cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
966
Views
0
Helpful
7
Replies

VPN tunnels between ASA 5510 and 2 PIX506.

forman102
Level 1
Level 1

Hi,

I'm trying to figure out the best way to connect to one of my sites, where I have 2 Pix 506 firewalls (with 2 different ISPs for redundancy). In main building I have ASA 5510, so I had built 2 VPN tunnels and connected to both PIXs.  I’d like to be able to switch between these 2 tunnels, in case of service disruptions. So far I’m able to connect thru 1st tunnel I had built, but when I try to switch over to 2nd tunnel, I’m losing network connectivity (even though the tunnel is up). It seems that ASA stops forwarding packets as I see “Bytes Rx” but not “Bytes Tx” on ASA side. Is it a result of having 2 tunnels terminating to the same networks?? Is there better way to achieve redundancy in such configuration?

                            VPN Tunnel 1                                               VPN Tunnel1    Cisco Pix1

10.x.x.x     ASA   108.x.x.x                                                                                          Cisco 2950  192.168.x.x

                            VPN Tunnel 2                                               VPN Tunnel 2     Cisco Pix2

Thank you.

4 Accepted Solutions

Accepted Solutions

lHi,

You don't have the two tunnels up at the same time correct?

I mean.. there's only one tunne up and passing traffic and if this tunnel goes down, it should use the other correct?

If this is so...

You need to configure both tunnels normally and by means of routing you give priority to one over the other.

If using static routes you can use the IP SLA tracking feature for this.

On the ASA and PIX sides.... are both tunnels terminated on the same physical interface or different interfaces?

Federico.

View solution in original post

Let's see...

The ASA uses a single interface for the tunnel termination of both PIXes.

The ASA should establish one tunnel to the primary PIX and if it fails, it should establish a separate tunnel to the other PIX.

In this case, both PIXes will have the same VPN configuration pointing to the ASA.

Do you have both peers under the same crypto map on the ASA?

i.e

crypto map mymap 10 set peer x.x.x.x y.y.y.y   -->  x.x.x.x is the public IP of the 1st PIX and y.y.y.y is the public IP of the 2nd PIX.

So, the ASA will attempt to establish the tunnel first with one PIX and if it fails it will try the other one.

You don't need the IP SLA feature on the ASA because you're using a single physical interface.

There's no need for that on the PIXes, because there are two separate PIXes.

The IP SLA is used when one single device needs to control the status of more than one of its interfaces.

I don't seem to find a configuration example, but let me know if you have any questions.

Federico.

View solution in original post

Correct.

Because the interesting traffic between the ASA and both PIXes is the same traffic (does not matter through which PIX it goes).

So, not having two instances of crpto map, but only one with two peers defined.

Also, check the routing to know to send the packets through the first tunnel first.

Federico.

View solution in original post

On the ASA there's no ''routing'' way to force one tunnel over the other, because the ASA can check only its next-hop.

But, the peer that you define under the crypto map as the first peer, it's going to attempted first. This will indicate the ASA to establish the tunnel to the first PIX first.

Federico.

View solution in original post

7 Replies 7

lHi,

You don't have the two tunnels up at the same time correct?

I mean.. there's only one tunne up and passing traffic and if this tunnel goes down, it should use the other correct?

If this is so...

You need to configure both tunnels normally and by means of routing you give priority to one over the other.

If using static routes you can use the IP SLA tracking feature for this.

On the ASA and PIX sides.... are both tunnels terminated on the same physical interface or different interfaces?

Federico.

You are right. I have only 1 tunnel passing traffic... and if it goes down it should use the other one (but it's not at this moment). I have 1 public interface on ASA, so both Pixes (tunnels) terminate to the same interface on ASA. Then looking from ASA side there are 2 tunnels being terminated to 2 different Pixes (separate firewalls with 2 different public interfaces/IPs).

Do you think that ASA doesnt't know how to handle packets after the primary tunnel goes down? I simulated such scenario by shutting down one of the Pixes and ASA would not use the backup tunnel.

Also the inside interfaces on both Pixes are connected to Cisco 2950 switch. Should I use the same "inside" IP address on both? How could I configure Cisco 2950 switch to work properly in this config? I mean should I configure Pixes with different private addresses? and configure switch/PCs with 2 different gateways?


Could you provide sample config/documentation for  IP SLA tracking feature? Will it work in my set up?

thanks again

Let's see...

The ASA uses a single interface for the tunnel termination of both PIXes.

The ASA should establish one tunnel to the primary PIX and if it fails, it should establish a separate tunnel to the other PIX.

In this case, both PIXes will have the same VPN configuration pointing to the ASA.

Do you have both peers under the same crypto map on the ASA?

i.e

crypto map mymap 10 set peer x.x.x.x y.y.y.y   -->  x.x.x.x is the public IP of the 1st PIX and y.y.y.y is the public IP of the 2nd PIX.

So, the ASA will attempt to establish the tunnel first with one PIX and if it fails it will try the other one.

You don't need the IP SLA feature on the ASA because you're using a single physical interface.

There's no need for that on the PIXes, because there are two separate PIXes.

The IP SLA is used when one single device needs to control the status of more than one of its interfaces.

I don't seem to find a configuration example, but let me know if you have any questions.

Federico.

Ok thanks. This is current config:



crypto map MM 3 match address A_DSL_cryptomap      //backup tunnel
crypto map MM 3 set peer 65.x.x.x
crypto map MM 3 set transform-set myset2
crypto map MM 4 match address A_Cable_cryptomap    // primary tunnel
crypto map MM 4 set peer 24.x.x.x
crypto map MM 4 set transform-set myset2

Should I just completely remove crypto map MM 3 (backup tunnel)? and modify crypto map MM4? i.e.

no crypto map MM 3 match address A_DSL_cryptomap

no crypto map MM 3 set peer 65.x.x.x

no crypto map MM 3 set transform-set myset2

no crypto map MM 4 set peer 24.x.x.x

crypto map MM 4 set peer 24.x.x.x 65.x.x.x

I really appriciate your help.

Correct.

Because the interesting traffic between the ASA and both PIXes is the same traffic (does not matter through which PIX it goes).

So, not having two instances of crpto map, but only one with two peers defined.

Also, check the routing to know to send the packets through the first tunnel first.

Federico.

Alright. Last question: how do I configure ASA to send traffic over the first tunnel first?

lukasz

On the ASA there's no ''routing'' way to force one tunnel over the other, because the ASA can check only its next-hop.

But, the peer that you define under the crypto map as the first peer, it's going to attempted first. This will indicate the ASA to establish the tunnel to the first PIX first.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: