Re: cisco asa 5510 IPsec tunnel to two sites with juniper netscr
To answer your questions:
Question 1: If I create the two tunnels in the ASA, how would it know which peer to use if both peers have the same remote subnet?
Answer: In the crypto map created on the asa, you need to specify 2 peers. The syntax for this would look like:
crypto map <
y.y.y.y = Primary ASA
z.z.z.z = Secondary ASA
The ASA always will try to peer with y.y.y.y. If y.y.y.y is not available, then it tries to peer with z.z.z.z
So your primary ISP needs to be specified first, and then you specify the secondary ISP.
And since both Site A and B know about each other through OSPF, there wont be any problems in the remote subnet being 10.10.0.0 / 15.
Question 2: Can I create static route in the ASA pointing to siteA's public address and use static route monitoring for failover? "route outside 10.10.0.0 255.254.0.0 peerA_public_IP 10 track 1"
Answer: SLA monitoring is not required here as we have tunnels from both site A and B terminating on a single interface of the ASA. SLA monitoring provides interface redundancy and this is not the case in your scenario.
Question 3: I need the ASA 5510 tunnel connection type to be bidirectional so I cannot use multiple peers in a single crypto map.
Answer: As mentioned earlier, you can specify 2 peers in a single crypto map.
In earlier codes, when you specify 2 peers in a single crypto map, only the remote end can initiate connection. In our example, only site A and B can initiate connection. Site C cannot initiate the connection. But in later versions of code, the tunnel can be initiated bidirectionally and it works just fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :