Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Backup site-to-site VPN configuration

I have a client with dual ISP connections, one on a 10Mb connection and the other on a backup link that is only a T1.

The client has multiple sites with this identical configuration.  The T1 is setup as a backup default route within the ASA's at each location.

Currently they has multiple site-to-site VPN's at each of the locations configured on the 10Mb connection.  One of these site-to-sites connects the two offices in question.  What is the best way to ensure that we maintain VPN connectivity between the sites in the event of a failure of the 10Mb connection at one of the two locations?

I believe I need to setup an additional crypto map for the Interface connected to the T1 "T1-Interface" and then reference both remote IP's in the "set peer" statements of the two crypto maps.

So, for example:

Site A

Interface Outside

IP Address 1.1.1.1 255.255.255.252

interface Backup-T1

Ip Address 2.2.2.1 255.255.255.252

Interface Inside

Ip address 10.10.1.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1 track 1 (Used to verify that the default route is present & if not present activates the Backup-T1 route

route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254       additional config steps for this are ommitted for brevity)

crypto map outside_map 1 match address office_b_inside_acl

crypto map outside_map 1 set peer 3.3.3.1 4.4.4.1

crypto map outside_map 2 match address additional_l2l_acl

crypto map outside_map 2 set peer "additional location ip"

crypto map oustide_map interface Outside

crypto map backupT1_map 1 match address office_b_inside_acl

crypto map backupT1_map 1 set peer 3.3.3.1 4.4.4.1

crypto map backupT1_map 2 match address additional_l2l_acl

crypto map backupT1_map 2 set peer "addtional location ip"

crypto map backupT1_map interface Backup-T1

tunnel-group 3.3.3.1 type ipsec-l2l

tunnel-group 3.3.3.1 ipsec-attributes

  pre-shared-key letmein

tunnel-group 4.4.4.1 type ipsec-l2l

tunnel-group 4.4.4.1 ipsec-attributes

  pre-shared-key letmein

Site B

Interface Outside

IP Address 3.3.3.1 255.255.255.252

interface Backup-T1

Ip Address 4.4.4.1 255.255.255.252

Interface Inside

Ip address 10.10.2.1 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1  track 1 (Used to verify that the default route is present & if not  present activates the Backup-T1 route

route Backup-T1 0.0.0.0 0.0.0.0 2.2.2.2 254       additional config steps for this are ommitted for brevity)

crypto map outside_map 1 match address office_a_inside_acl

crypto map outside_map 1 set peer 1.1.1.1 2.2.2.1

crypto map outside_map 2 match address additional_l2l_acl

crypto map outside_map 2 set peer "additional location ip"

crypto map oustide_map interface Outside

crypto map backupT1_map 1 match address office_a_inside_acl

crypto map backupT1_map 1 set peer 1.1.1.1 2.2.2.1

crypto map backupT1_map 2 match address additional_l2l_acl

crypto map backupT1_map 2 set peer "addtional location ip"

crypto map backupT1_map interface Backup-T1

tunnel-group 3.3.3.1 type ipsec-l2l

tunnel-group 3.3.3.1 ipsec-attributes

  pre-shared-key letmein

tunnel-group 4.4.4.1 type ipsec-l2l

tunnel-group 4.4.4.1 ipsec-attributes

  pre-shared-key letmein

Have I got this right based on this example?  Any suggestions are much appreciated.

Thanks,

Sean

1 REPLY

Backup site-to-site VPN configuration

Hi Sean,

Excelent

I think you should be all set, however I do not see the IP SLA settings.

You have the "track" command, but not the SLA instance, please check this out:

ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

http://tools.cisco.com/squish/BD68F

This is basically what you need:

sla monitor 123
 type echo protocol ipIcmpEcho 10.0.0.1 interface outside
 num-packets 3
 frequency 10

!

sla monitor schedule 123 life forever start-time now

!

track 1 rtr 123 reachability

!

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

Please adjust the command above to your configuration.

Let me know if you have any questions.

Please rate this post if you find it helpful.

3408
Views
0
Helpful
1
Replies
CreatePlease login to create content