Hi to ALL!
I have one question.
So, I have ASA with 9.2(1) SW connected to ISP with SLA enabled.
I need to configure redundant IPSec VPN via ISP2, while all other traffic should pass through ISP1. In case if one of ISP goes down all traffic including VPN should be routed via alive ISP.
I have SLA configured and it works.
ciscoasa# show run route
route isp1 0.0.0.0 0.0.0.0 10.175.2.5 5 track 1
route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 track 2
Here we can see if ISP1 and ISP2 are UP, all traffic is routed via ISP1, but traffic destined to IPSec remote peer 172.22.10.5 is routed via ISP2.
This configuration works just when isp1 or isp2 is down or if static route to host 172.22.10.5 removed. In case two ISPs are up ASA doesn't send any IPSec packets to remote side.
ciscoasa# show run nat
nat (inside,isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup
nat (inside,isp1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cm_vpnc 10 match address acl_vpn
crypto map cm_vpnc 10 set pfs
crypto map cm_vpnc 10 set peer 172.22.10.5
crypto map cm_vpnc 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map cm_vpnc 10 set security-association lifetime seconds 86400
crypto map cm_vpnc interface isp1
crypto map cm_vpnc interface isp2
crypto ca trustpool policy
crypto ikev1 enable isp1
crypto ikev1 enable isp2
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.2.1 255.255.255.0 CONFIG
Vlan2 isp1 10.175.2.10 255.255.255.0 CONFIG
Vlan3 isp2 10.175.3.10 255.255.255.0 CONFIG
The main question why?
Thank you in advance,
Anton
