Tunnel redundancy between PIX and ASA

jsol · ‎08-01-2008

I have a PIX506E running version 6.3.x in a branch office and an ASA at the central site running version 7.2.x. We have installed a second ISP at the central site and we'd like to configure a backup/redundant tunnel from the branch office to the central site, through the new ISP. Is it possible? Does anyone have any document with a config exemple?

Thanks.

Farrukh Haroon · ‎08-01-2008

Assign any one IP address from the new provider's block to another interface on the ASA. Assign the same crypto map to it. Then add a second 'set peer' command on the branch office (Based on this new public IP).

Regards

Farrukh

jsol · ‎08-02-2008

The problem is that, due to network topology, I have to terminate the secondary tunnel to the same ASA's interface. It enters the central site via a different ISP (new public IP) and via NAT is translated to the ASA's outside interface. Do you think it's possible? This is because between the external routers and the ASA, we have a load balancer and a CheckPoint firewall, and all external traffic should pass through it.

Thanks,

Jordi.

Farrukh Haroon · ‎08-02-2008

Well if the network topology forces you to use the same physical interface, why don't you make logical interfaces? What is the role of the load balancer?

Regards

Farrukh