Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BACK for Site to Site VPN

Hi, 

 

I was wondering is it possible to create a backup for my site to site VPN connection? the remote end has a cisco Router whiich currently has a VPN connection to an ASA 5500. How would I know configure the same router to use another VPN on a different ASA 5500 should the ASA 5500 not work? Will simply putting adding another Peer address on the ISAKMP policy do or do I need to create a new crypto map or is it simply not possible?


Thanks for your assistance in advance. 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

On the router side it should

On the router side it should work to have a second peer defined in the isakmp policy and in the set peer of the crypto map. I might prefer to configure a second instance within your existing crypto map to set up a second tunnel which would go to the other ASA. I have set up quite a few customer remote sites with two tunnels to provide failover capability and two instances within the route map works fine.

 

HTH

 

Rick

3 REPLIES
Hall of Fame Super Silver

On the router side it should

On the router side it should work to have a second peer defined in the isakmp policy and in the set peer of the crypto map. I might prefer to configure a second instance within your existing crypto map to set up a second tunnel which would go to the other ASA. I have set up quite a few customer remote sites with two tunnels to provide failover capability and two instances within the route map works fine.

 

HTH

 

Rick

New Member

Thanks for the reply Rick,

Thanks for the reply Rick, 


How would you route the traffic outside once VPN traffic comes in if both ASA's are interconnected by WAN links? Should I just add static routes on both to route incoming VPN outside their own outside interface or would that cause asymetric VPN traffic flows which would cause connection problems?

 

Thanks!

Hall of Fame Super Silver

There probably are some

There probably are some things about your environment that I do not know and which might affect the answer. But I would think that you would want to have routing logic on each ASA. If the ASA were going to route traffic to outside that had been received on VPN would you do address translation for the traffic? If so it seems to me that this would assure that response traffic would come back to the right ASA and would take care of any issue about assymetric traffic.

 

HTH

 

Rick

40
Views
0
Helpful
3
Replies