I understand the fundamentals of redundant backup links (see example in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml). However, I need some advice when the ASA device particpates in static IPSEC tunnels. If I configure redundancy as the link above in the near ASA and have a static tunnel defined with a PIX at the far end, the far end won't be able to reach the near end during a backup link switchover. How does one handle that? Can the tunnels be defined twice with the same interesting traffic, or is there something fundamental I'm missing? Thanks!
Thanks, I was unaware you could have two peers at the same time. If I had fully redundant paths into the local PIX that are both available, could I do that without using redundant links? I'm afraid I'm quite ignorant with this.
My remote site is very well connected, PIX devices in failover with BGP routing against two backbones. The local site is T1 + cheap DSL that I need to keep connected without the remote site's level of sophistication, expense and complexity.
"For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list."
Here's where I get confused looking into this. On my near end I've got 2 different ISPs, and my default gateway is set to be just one of those. On the far end I've got one IP address on my PIX because it's got redundancy to the internet on it without a need for multiple crypto map entries.
So, if I do something like this on the far end:
!--- Traffic to ISP 1:
crypto map redundant 10 ipsec-isakmp
crypto map redundant 10 set peer 220.127.116.11
!--- Traffic to ISP 2:
crypto map redundant 20 ipsec-isakmp
crypto map redundant 20 set peer 18.104.22.168
crypto map redundant interface outside
(I'm omitting lots of details about access lists and transform-sets)
On the near end what do I do? I need to define crypto maps for the same traffic but apply them to different interfaces. What is going to happen? This isn't redundancy, as the crypto map isn't applied to the same interface, as it's set up on the far end.
How would the near end know to route out ISP #2 if my default gateway disappears when ISP #1 goes down?
Can one create two IPSEC tunnels then using 2 different interfaces?
On the far PIX I have a spare interface, and can give it a unique external IP and apply a crypto map to it.
On the near ASA, I can define a static route for just that far PIX IP to go through my second ISP, then apply a crypto map to it as well.
My question is in this scenario, can the crypto map be applied to different interfaces with the same ACL to define what traffic is protected? It's different from the multiple peer setting when applied to the same interface. Could this work?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...