Solved: ASA 5525X - Multiple Outside Interface

Rafael Mendes · ‎09-18-2013

Hello,

Question:

I have a pair of ASA 5252X for VPN Traffic, the interfaces are:

- Inside

- DMZ

- Outside - ISP1 - IP 1.1.1.1

I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?

- Inside

- DMZ

- Outside - ISP1 - IP 1.1.1.1

- Outside2 - ISP2 - IP 2.2.2.2

I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?

Tks.

Rafael

npokhriy · ‎09-18-2013

Hi Rafael,

You have to configure sla monitoring on ASA.

Follow below link:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

For VPN part, check below link:-

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

HTH!

Regards,

Naresh

View solution in original post

Jeet Kumar · ‎09-18-2013

Yes Rafael, it possible.

you need to configure SLA monitoring on ASA for the ISP failover.

And for the VPN add the second ISP ip as a back up peer on the remote device.

on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.

In case if you need any assistance regarding the configuration let me know.

Configuration should look something like this:

interface Ethernet0

nameif outside

security-level 0

ip address 10.200.159.2 255.255.255.248

interface Ethernet2

nameif inside

security-level 100

ip address 172.22.1.163 255.255.255.0

interface Ethernet1

nameif backup

security-level 0

ip address 10.250.250.2 255.255.255.248

access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)

access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

crypto map outside_map 20 match address outside_crypto_1

crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto map outside_map interface backup

crypto isakmp enable backup

crypto isakmp enable outside

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 172.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key cisco123

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

sla monitor 123

type echo protocol ipIcmpEcho 10.0.0.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Important Information:

===============================================

** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.

** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.

** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.

** I hope this will answer your query.

Thanks

Jeet

View solution in original post

npokhriy · ‎09-18-2013

Hi Rafael,

You have to configure sla monitoring on ASA.

Follow below link:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

For VPN part, check below link:-

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

HTH!

Regards,

Naresh

Jeet Kumar · ‎09-18-2013

Yes Rafael, it possible.

you need to configure SLA monitoring on ASA for the ISP failover.

And for the VPN add the second ISP ip as a back up peer on the remote device.

on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.

In case if you need any assistance regarding the configuration let me know.

Configuration should look something like this:

interface Ethernet0

nameif outside

security-level 0

ip address 10.200.159.2 255.255.255.248

interface Ethernet2

nameif inside

security-level 100

ip address 172.22.1.163 255.255.255.0

interface Ethernet1

nameif backup

security-level 0

ip address 10.250.250.2 255.255.255.248

access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)

access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

crypto map outside_map 20 match address outside_crypto_1

crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto map outside_map interface backup

crypto isakmp enable backup

crypto isakmp enable outside

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 172.22.1.0 255.255.255.0

nat (inside) 0 access-list nonat

tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key cisco123

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

sla monitor 123

type echo protocol ipIcmpEcho 10.0.0.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

Important Information:

===============================================

** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.

** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.

** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.

** I hope this will answer your query.

Thanks

Jeet

Rafael Mendes · ‎09-18-2013

Ok!

Tks!

Lasandro Lopez · ‎09-24-2013

But does the VPN works on the same time on two different ISP IPs?
let say, one remote user is connected via ISP01
And another remote user via ISP02?
Regards!

juan villarreal · ‎10-09-2023

I configured an sla ip, but keep in mind that when I send pings to the public interfaces, only the one on the active route answers. How do I get the two external interfaces to answer a ping?