ASA Backup VPN

stephen.stack · ‎01-22-2009

Hi Guys,

tried having a look on these forums but i coul;d not find an answer.

I am looking to configure a single ASA with a primary and backup/ redundant VPN.

The VPN remote endpoints will be a Cisco 3825 IOS router. I am aware of the

crypto map map-name seq-num set connection-type originate-only command and specifiy a number of Endpoints. But it appears this only works asa-asa.

I have also tried this to no avail

crypto map outside_vpn 11 match address VPN-TO-CUSTA

crypto map outside_vpn 11 set peer CUSTA_ENDPOINT_A

crypto map outside_vpn 11 set transform-set strong

crypto map outside_vpn 12 match address VPN-TO-CUSTA

crypto map outside_vpn 12 set peer CUSTA_ENDPOINT_B

crypto map outside_vpn 12 set transform-set strong

bear in mind that the remote endpoints are different IPs on differet boxes.

Can someone help me here.

TIA

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Ivan Martinon · ‎01-22-2009

You need to create an SA from public ip of ASA to RouterA and public ip of ASA to RouterB to make this work, tunnel should be set to Originate only on your ASA. On your routers, you also need to define an SA fro public of routerA to ASA public, and from Public of RouterB to ASA too (SA=Crypto ACL) as far as I remember this is what you need, since ASA creates SA's to the peers as soon as you have the originate only setup. Another ASA will do it automatically but with routers you need to do it manually.