cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4829
Views
3
Helpful
28
Replies

Dual ISP with IPSecVPN

santiago.jem
Level 1
Level 1

Hi Experts,

I've been doing some research on how to configure an ASA with Dual ISP with IPSec Tunnel going to HQ.

Scenario_ASA.JPG

Here is the outline that I think I need I may need to do.

1.  Configure the Redundant Link, which led me to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Fair enough, I was able to grasps the concept on the above link.

2. Configure VPN with HQ_ASA. This seems to be the tough part.

What I would like to do is that Primary Link (15 Mbps DSL) will form VPN Peer with HQ when it is UP (used tracking as stated above).

When the Primary Link fails Secondary Link (5 Mbps DSL) will form a New VPN Peer with HQ

On both instances, the HQ_VPN Peer will have the same IP Address.

Looking forward for your response guys.

Thank you.

28 Replies 28

Hello Jemel,

Sure.. Keep me posted

do a more system:running-config | begin tunnel-group

in order to check them on clear text.

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

VPN Connectivity is already UP, but there might be something wrong with my access-list. I still can't browse the internet.

I've read some of your replies to similar issues and I've taken note of it.

https://supportforums.cisco.com/thread/2123926

ciscoasa(config)# packet-tracer input inside Tcp 10.80.1.1 1025 4.2.2.2 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa(config)#

Funny thing is, I've already configured my access-list to almost allow all. There must be something that I missed.

NAGISWAREN2
Level 1
Level 1

Hi Jemel,

I have similar setup in real world. Below is the config

in HQ

1) Under main crypto map , just add seconday IP of Branch WAN2

crypto map Outside_map 1 set peer x.x.x.x y.y.y.y

x.x.x.x = Branch Primary WAN IP
y.y.y.y = Branch Secondary WAN IP

2) Create a Tunnel-group for backup peer

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key try123
in Branch

1) Just apply crypto map to backup interface.

crypto map Outside_map interface backup_wan





Regards, Nagis

Hello Waren,

Thanks! Will give this a try tomorrow.

I'm currently using 8.4 ASA so there might be a little difference.

With HQ, do I need to configure the Group Policy?

Should it also have the same Group Policy as the primary Peer?

Hi Jemel,

By right, there is no need to configure Group Policy, Just adding the Tunnel-group / backup peer ip will do. It will work for 8.2/8.3/8.4

Regards, Nagis

Thanks Waren.

Hope the vpn tunnel will work after this configuration changes.

Will update you if it does.

Thank you.

Regards,

Jemel

Hi Waren,

Your instructions were correct! I was able to configure the VPN Tunnel to HQ as desired. Thank you.

I still have a little problem though, I can't connect  to the internet. I can ping the DNS Server 4.2.2.2 with no problem.

But I cant browse the internet. I've already changed the "Configuration > Firewall > NAT Rules" refelcting the new interface that I have but no internet access still.

Is there still something that I need to do?

Thank you and hoping to hear from you soon.

Regards,

Jemel

Can u post your config file?

Regards, Nagis

Hi Waren,

This is ok now, found a discussion here in the community and it solved the issue for me.

I can now browse the internet. It was a DNS issue.

Thank you for your help, much appreciated!

Regards,

Jemel

welcome.

Regards, Nagis

Hi Warren,

How are you? Hope all is well.

I was wondering since we have almost the same set-up, may I know what are the other things that you have implemented with this setup. Did you do improvements to make the user experience better? QoS for the VPN traffic perhaps? Do you have QoS implemented? By which, L2L traffic to and from branch office to head office will be given priority?

Hope to hear from you soon.

Thanks.

Hi Jemel,

I have dedicated Internet link for VPN connectivity, so no need of QOS. But I have implimented third party vendor to setup Link Load Balancing for VPN traffic. You can take a look at www.elfiq.com. This will ensure all available WAN link is utilized , intead of siting Idle and still been payed.

Regards,

Nagis

Regards, Nagis

Thanks for the prompt reply Warren. Will look into this product if this is feasible for our needs.

Much appreciated.

Hi Guys,

I've always thought that I've configrued correctly my ASA. Thing is, yesterday we had a failure on our primary DSL Link, was thinking that the secondary link would kick-in but waited for probably 10-15 minutes there was no internet connectivity still. What's strange is that I had VPN connection to HQ. What I did was on the CLI I checked on what route (show route) the ASA is using, - it was still the failed Primary. I cleared the route on the Primary link (clear route outside_p) then I got the result that I wanted. Internet and VPN is UP and running.

Is there something that I'm missing, I was wondering it could be because of my Base License, maybe I should get the Security PLus License for my desired setup?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: