I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
- Outside - ISP1 - IP 220.127.116.11
I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
- Outside - ISP1 - IP 18.104.22.168
- Outside2 - ISP2 - IP 22.214.171.124
I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
Yes Rafael, it possible.
you need to configure SLA monitoring on ASA for the ISP failover.
And for the VPN add the second ISP ip as a back up peer on the remote device.
on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
In case if you need any assistance regarding the configuration let me know.
Configuration should look something like this:
ip address 10.200.159.2 255.255.255.248
ip address 172.22.1.163 255.255.255.0
ip address 10.250.250.2 255.255.255.248
access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto map outside_map 20 match address outside_crypto_1
crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map outside_map interface backup
crypto isakmp enable backup
crypto isakmp enable outside
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.22.1.0 255.255.255.0
nat (inside) 0 access-list nonat
tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
** I hope this will answer your query.
You have to configure sla monitoring on ASA.
Follow below link:-
For VPN part, check below link:-