ASA5580 / SDM6.3(2) - Question about setting up resiliency for site to site VPN tunnels
Might sound like a basic question.
0. We have 2 ASAs
1. We have setup a site to site VPN tunnel between our ASA (Monash) and the external site (BMC).
2. The inside interface is 184.108.40.206/28 on ASA1 and 220.127.116.11/28 on ASA2 (VLAN303)
3. The outside interface is 18.104.22.168/28 on ASA1 and 22.214.171.124 on ASA2 (VLAN302)
4 Our ASAs are configured in routed mode
5. The servers within our network that need to use this tunnel sit one router hop away from the ASA, i.e. the servers are not on a directly attached subnet to the ASA.
6. Due to 5 above, we've setup some host routes on the downstream router (which is one hop from the ASA), to point to the inside interface of our ASA (i.e. 126.96.36.199). Note here i've chosen to use ASA1 for testing.
My question is how do we setup a resilient setup where if ASA1 goes down traffic is routed via ASA2? At the moment because I'm using ASA1 for testing, the static routes on the downstream router which is one hop away points to the inside interface of ASA1. This works well. Also note, the other end points to ASA1 oustide IP as a peer.
ASA5580 / SDM6.3(2) - Question about setting up resiliency for s
You have a couple of options. The first and the one I would suggest, is to use Reverse Route Injection (RRI). Your other option is to use tracking and/or IPSLA on the router to add/remove routes depending on reachability. On the remote end you'll need to add both 188.8.131.52 and 184.108.40.206 as VPN peers.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...