Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

cisco asa 5510 IPsec tunnel to two sites with juniper netscreen

I'm trying to setup two tunnels from a cisco asa 5510 to two other sites with juniper netscreen:

siteA: juniper, network 10.10.0.0/16

siteB: juniper, network 10.11.0.0/16

siteC: asa 5510, network 10.12.0.0/16

siteA and siteB has a private WAN link and is running OSPF.

My plan is to create the tunnel siteA to siteC and allow both siteA&B subnets (10.10.0.0/15)

And also create a second tunnel siteB to siteC and also allow both siteA&B subnets (10.10.0.0/15)

The reason why I need this setup is for redundancy.

If siteA ISP goes down, siteC still have access to both sites through siteB, and if siteB ISP goes down siteC still have access to both sites through siteA.

If I create the two tunnels in the ASA, how would it know which peer to use if both peers have the same remote subnet?

Can I create static route in the ASA pointing to siteA's public address and use static route monitoring for failover?

"route outside 10.10.0.0 255.254.0.0 peerA_public_IP 10 track 1"

I need the ASA 5510 tunnel connection type to be bidirectional so I cannot use multiple peers in a single crypto map.

see attached diagram. thanks

4 REPLIES
Cisco Employee

Re: cisco asa 5510 IPsec tunnel to two sites with juniper netscr

Hi,

To answer your questions:

Question 1: If I create the two tunnels in the ASA, how would it know which peer to use if both peers have the same remote subnet?

Answer: In the crypto map created on the asa, you need to specify 2 peers. The syntax for this would look like:

crypto map <> <> set peer y.y.y.y z.z.z.z

y.y.y.y = Primary ASA

z.z.z.z = Secondary ASA

The ASA always will try to peer with y.y.y.y. If y.y.y.y is not available, then it tries to peer with z.z.z.z

So your primary ISP needs to be specified first, and then you specify the secondary ISP.

And since both Site A and B know about each other through OSPF, there wont be any problems in the remote subnet being 10.10.0.0 / 15.

Question 2: Can I create static route in the ASA pointing to siteA's public address and use static route monitoring for failover?
"route outside 10.10.0.0 255.254.0.0 peerA_public_IP 10 track 1"

Answer: SLA monitoring is not required here as we have tunnels from both site A and B terminating on a single interface of the ASA. SLA monitoring provides interface redundancy and this is not the case in your scenario.

Question 3: I need the ASA 5510 tunnel connection type to be bidirectional so I cannot use multiple peers in a single crypto map.

Answer: As mentioned earlier, you can specify 2 peers in a single crypto map.

In earlier codes, when you specify 2 peers in a single crypto map, only the remote end can initiate connection. In our example, only site A and B can initiate connection. Site C cannot initiate the connection. But in later versions of code, the tunnel can be initiated bidirectionally and it works just fine.

Please let me know if this answers your query.

Regards,

Manisha Mandekar

New Member

Re: cisco asa 5510 IPsec tunnel to two sites with juniper netscr

Thanks, I read about the multiple peer option but after reading Cisco Press Cisco ASA All-in-One... 2nd Edition published in 2010, it mentioned in p765 that:

"If you need to specify multiple peers in your crypto map sequence number for redundancy, you must set your connection type to originate-only mode."

btw, I'm running ASA v8.2. I'll give it a try.

thanks again,

Cisco Employee

Re: cisco asa 5510 IPsec tunnel to two sites with juniper netscr

Hi Angelo,

I'm don't think the originate only option would workout in this scenario since this option is supported between 2 cisco security devices only, as documented in this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

We probably should be looking at other alternatives. Would let u know if i find one for this backup vpn scenario.

Cheers,

Rudresh V

Cisco Employee

Re: cisco asa 5510 IPsec tunnel to two sites with juniper netscr

Hi Angelo,

8.2 supports bidirectional tunnel initiation.

Here's the output from a ASA running 8.2(2)

ciscoasa1(config)# crypto map vpnmap 10 set peer 1.1.1.1 2.2.2.2

ciscoasa1(config)# crypto map vpnmap 10 set connection-type ?

configure mode commands/options:
  answer-only     Answer only
  bidirectional   Bidirectional
  originate-only  Originate only

Here is more information on the same:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238363

But i guess this is not supported with a 3rd party device. Let me check on what other alternatives are avilable

1783
Views
0
Helpful
4
Replies
CreatePlease to create content