08-21-2012 04:10 PM - edited 03-11-2019 04:44 PM
Hi Experts,
I've been doing some research on how to configure an ASA with Dual ISP with IPSec Tunnel going to HQ.
Here is the outline that I think I need I may need to do.
1. Configure the Redundant Link, which led me to this:
Fair enough, I was able to grasps the concept on the above link.
2. Configure VPN with HQ_ASA. This seems to be the tough part.
What I would like to do is that Primary Link (15 Mbps DSL) will form VPN Peer with HQ when it is UP (used tracking as stated above).
When the Primary Link fails Secondary Link (5 Mbps DSL) will form a New VPN Peer with HQ
On both instances, the HQ_VPN Peer will have the same IP Address.
Looking forward for your response guys.
Thank you.
Solved! Go to Solution.
08-26-2012 09:37 PM
Hello Jemel,
Sure.. Keep me posted
do a more system:running-config | begin tunnel-group
in order to check them on clear text.
Regards,
Julio
Rate all the helpful posts
09-02-2012 08:48 PM
Hi Julio,
VPN Connectivity is already UP, but there might be something wrong with my access-list. I still can't browse the internet.
I've read some of your replies to similar issues and I've taken note of it.
https://supportforums.cisco.com/thread/2123926
ciscoasa(config)# packet-tracer input inside Tcp 10.80.1.1 1025 4.2.2.2 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
Funny thing is, I've already configured my access-list to almost allow all. There must be something that I missed.
08-26-2012 09:13 PM
Hi Jemel,
I have similar setup in real world. Below is the config
in HQ
1) Under main crypto map , just add seconday IP of Branch WAN2
crypto map Outside_map 1 set peer x.x.x.x y.y.y.y
x.x.x.x = Branch Primary WAN IP
y.y.y.y = Branch Secondary WAN IP
2) Create a Tunnel-group for backup peertunnel-group y.y.y.y type ipsec-l2l tunnel-group y.y.y.y ipsec-attributes pre-shared-key try123in Branch
1) Just apply crypto map to backup interface.
crypto map Outside_map interface backup_wan
08-26-2012 10:50 PM
Hello Waren,
Thanks! Will give this a try tomorrow.
I'm currently using 8.4 ASA so there might be a little difference.
With HQ, do I need to configure the Group Policy?
Should it also have the same Group Policy as the primary Peer?
08-26-2012 10:54 PM
Hi Jemel,
By right, there is no need to configure Group Policy, Just adding the Tunnel-group / backup peer ip will do. It will work for 8.2/8.3/8.4
08-26-2012 11:03 PM
Thanks Waren.
Hope the vpn tunnel will work after this configuration changes.
Will update you if it does.
Thank you.
Regards,
Jemel
09-01-2012 12:49 AM
Hi Waren,
Your instructions were correct! I was able to configure the VPN Tunnel to HQ as desired. Thank you.
I still have a little problem though, I can't connect to the internet. I can ping the DNS Server 4.2.2.2 with no problem.
But I cant browse the internet. I've already changed the "Configuration > Firewall > NAT Rules" refelcting the new interface that I have but no internet access still.
Is there still something that I need to do?
Thank you and hoping to hear from you soon.
Regards,
Jemel
09-07-2012 01:34 AM
Can u post your config file?
09-07-2012 04:27 AM
Hi Waren,
This is ok now, found a discussion here in the community and it solved the issue for me.
I can now browse the internet. It was a DNS issue.
Thank you for your help, much appreciated!
Regards,
Jemel
09-10-2012 12:38 AM
welcome.
10-28-2012 07:51 PM
Hi Warren,
How are you? Hope all is well.
I was wondering since we have almost the same set-up, may I know what are the other things that you have implemented with this setup. Did you do improvements to make the user experience better? QoS for the VPN traffic perhaps? Do you have QoS implemented? By which, L2L traffic to and from branch office to head office will be given priority?
Hope to hear from you soon.
Thanks.
10-28-2012 11:47 PM
Hi Jemel,
I have dedicated Internet link for VPN connectivity, so no need of QOS. But I have implimented third party vendor to setup Link Load Balancing for VPN traffic. You can take a look at www.elfiq.com. This will ensure all available WAN link is utilized , intead of siting Idle and still been payed.
Regards,
Nagis
10-29-2012 04:07 PM
Thanks for the prompt reply Warren. Will look into this product if this is feasible for our needs.
Much appreciated.
02-27-2013 03:34 PM
Hi Guys,
I've always thought that I've configrued correctly my ASA. Thing is, yesterday we had a failure on our primary DSL Link, was thinking that the secondary link would kick-in but waited for probably 10-15 minutes there was no internet connectivity still. What's strange is that I had VPN connection to HQ. What I did was on the CLI I checked on what route (show route) the ASA is using, - it was still the failed Primary. I cleared the route on the Primary link (clear route outside_p) then I got the result that I wanted. Internet and VPN is UP and running.
Is there something that I'm missing, I was wondering it could be because of my Base License, maybe I should get the Security PLus License for my desired setup?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: