08-03-2008 06:00 PM
Dear Expert,
I would like to ask you some question that now i'm not clear about VPN do Primary and backup connection, How can we do on this is sue? ( i mean that when the primary down, then connection backup is up automatically)
Could you advice me how can i do it?
Best Regards,
Rechard_hk
Solved! Go to Solution.
08-03-2008 08:58 PM
I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.
I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.
Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.
Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.
Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.
Example of active/standby
ASA comparison - Look into Ipsec plus license and features.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.
Rgds
Jorge
08-03-2008 09:26 PM
i liked JORGE sugesstions
but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way
that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic
whil in my oinoin if u follow the i have given to
u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN
in other words it like two in one
u have two active firewall on that site
aslo u have abckup vpn device for VPN tunnels
again JORGE sugestion great and professional
good luck
and Please, if helpful Rate
08-03-2008 06:40 PM
is it site to site VPN
and do both have the same LAN behind them ?
and mean to network behind them the same IPs or deffrent
if they have the same private network behind them
what i suggest you to do is to creat another tunnel group for the backup vpn
and in the
crypto map FWMAP 10 match address 101
crypto map FWMAP 10 set peer 192.168.6.2
here the ip address represent ur primary VPN
crypto map FWMAP 20 match address 101
crypto map FWMAP 20 set peer 192.168.6.5
here the ip address represent the backup vpn peer
notice that the map name the same but the sequence number is higher
so the ASA will try thirt map with number 10
if not successful will go to number 20
aslo in the above config i asume that both remote peer the primary and backup have the same LAN whtch match with ACL 101 in the above config
dont forget to make a separte L2L tunnel gorup for the back up vpn peer and tunnel-group ipsec then put the shared ky for the backup peer
brifly it is like u defining two vpn site to site
but u gonna make their map the same map with deffrent sequence number
good luck
Please, ifhelpful Rate
08-03-2008 07:53 PM
Dear marwanshawi,
Thanks you for you advice :)
ok, i understood that command that you gave me, could i ask you again !!!
1-During dual ISP up so all the traffic through out both with dual ISP or not?
if the traffic through out how can we know which client go to ISP1 and other client go to ISP2?
Best regards,
Rechard_hk
08-03-2008 08:38 PM
the above config regarding primary and backup ASA vpn
about ISP use it is now related to how to route ur traffic are you load balncing or loadsharing the traffic or use it in active and back up manner
u can also control ur users to prefer on link over other throuh the default route
lets say ISP u go to it through ip 1.1.1.1 and ISP 2 through 2.2.2.2
route outside 0 0 1.1.1.1
route outside 0 0 2.2.2.2 5
so all the traffic will go through ISP one
once the ISP1 down the traffic will flow trough ISP2
please, Rate if helpful
08-03-2008 06:41 PM
You could acomplish this through Active/Standby configuration and enable stateful configuration for this to work. Unfortunately the ASA5505 does not support stateful, you still can have Active/Standby with dual ISP as a backup link but if primary ASA5505 fails standby takes over but will not carry stateful traffic, that is VPN traffic, VPN tunnels will require reconentions.
HTH
Jorge
08-03-2008 08:02 PM
Dear Jorgemcse,
Thanks you for your advice :)
could you let me know about Active/Standby on ASA i'm not clear, so Active/Standby can do only one box or have to two have box?
possible or not when i have only one box for do Active/Standby?
one more i have problem on ASA 5505,
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Advanced Endpoint Assessment : Disabled
on interface vlan1 and vlan2 i can create but when i create one more interface vlan3 it not allow, what is going on? and how can i do it ?
I mean i want create Wan,Lan and DMZ..
Best regards,
Rechard_hk
08-03-2008 08:58 PM
I guess we should have asked a little more information, it seems Marwan and I responded almost at the same time and Im sure he'll provide great info.
I had geared more towards a fault tolerance scenario from a failed firewall or a failed ISP connection in a DUAL Fw and DUAL ISP architecture.
Assuming you want to have redundant firewall disign, it is where you look into Active/Standby firewalls to provide firewall redundancy, but when it comes to continuous connections with VPNs when one firewall fails is where stateful feature comes in place.
Im providing few links belloe for reference to get an idea of active and standby fws but ASA5505 is the only model that is stateless, it is not stateful which means connections will need to re-stablish when one firewall fails.
Also in order to implement dual firewalls for failover implementation you will need Security plus license to enable active and standby feature. This license will also include the activation of DMZ support and be able to creating up to 20 vlans, as well as have Dual ISP support.
Example of active/standby
ASA comparison - Look into Ipsec plus license and features.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
On the other hand you may in future have a backup ISP link, not only you have Active/Standby failover but you may want to also have a backup ISP link should primary link fails using SLA and Staic route tracking.
Rgds
Jorge
08-03-2008 09:26 PM
i liked JORGE sugesstions
but i think with idea i have given avove to configure one map with two tunnel groups with two seuence numbe better in one way
that active/standby in addition to the required license u gonna make a whole firewall passive waiting the active to fail to handll the traffic
whil in my oinoin if u follow the i have given to
u can u se the both firewall on the other site while u have them as primary and backup for ur site for VPN
in other words it like two in one
u have two active firewall on that site
aslo u have abckup vpn device for VPN tunnels
again JORGE sugestion great and professional
good luck
and Please, if helpful Rate
08-06-2008 11:24 PM
Dear Jorge,
Thanks you for your advice.
Best Regards,
Rechard_hk
08-11-2008 01:25 AM
Dear Jorge,
Sorry for disturb you again.....
So i'm not clear one line when we sho ver.
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
on comand (VLANs : 3, DMZ Restricted) it show tell Vlans :3 but i can create two VLAN what is wrong?
Best Regards,
Recahrd_hk
08-11-2008 08:27 AM
Recahrd_hk,
You should have already Vlan1 posibly as your inside interface, Vlan2 as outside interface. You should be able to create 3rd VLAN.
e.i
say you need to create vlan100 with sec level 50
for 10.10.10.0/24 network
interface Vlan100
no forward interface Vlan1
nameif test
security-level 50
ip address 10.10.10.1 255.255.255.0
then allocate a port on ASA builtin switch
interface Ethernet0/4
switchport access vlan 100
no shutdown
nat (test) 1 0.0.0.0 0.0.0.0
Rgds
Jorge
08-15-2008 03:14 AM
Dear Jorgemcse,
i still got the problem when i type this command it will show as bellow:
Branch(config)# int vl
Branch(config)# int vlan 100
Branch(config-if)# ip add 50.50.50.50 255.255.255.0
Branch(config-if)# no shut
Branch(config-if)# nameif star
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
could you let me now how can i do?
Best Regards,
rechard_hk
08-15-2008 11:03 AM
Rechard,
I believe you may be bound to the Base license , I have in my lab a ASA5505 with Sec Plus license so I could not test your scenario properly. Reading a bit further on License specs for the ASA5505 to understand what it means VLANs : 3, DMZ Restricted it seems that the 3rd VLAN may be a DMZ based on Table-3-1 in bellow link but I could be wrong , try using nameif DMZ if it does not work I would suggest to upgrade license to security plus , the part number is ASA5505-SEC-PL. With Sec plus all ASA5505 features will be unlocked, I find this base license or 50 user license etc.. none-sense but thats the way it is.
Table 3-1 License Restrictions on Active VLANs
ASA Licenses
ASA 5505 Complete specs
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Let me know how it works out.
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: