Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CISCO ASA backup ISP and VPN

we have a two ISP solution, using cisco 5505 and work fine with tracking.

(route outside 0.0.0.0 0.0.0.0 a.b.c.d 1 track 1)

We have site to site VPN and this use Primary ISP's IP.Now we need to configure the same with ISP2 IP , incase ISP1 is done, we still have VPN Link is up with backup line with ISP2.

Is this possible as destination site is just one IP.

4 REPLIES
joe Bronze
Bronze

Re: CISCO ASA backup ISP and VPN

Good evening,

Yes there is a solution for this... what is the device the ASA 5505 is connecting to?

If its another ASA or a IOS router you can make the ASA 5505 a EZVPN client in network extension mode... that way you can connect the ASA to the vpn peer from either ISP 1 or 2 (depending on which one is active per the tracking).

Here is a link that explains this feature

Note: only the ASA 5505's can do EZVPN client

This link should help you get started!

-Joe

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ezvpn505.html

Thanks!

New Member

Re: CISCO ASA backup ISP and VPN

Hi Joe,

Thanks for the reply.Currently i have a site to site vpn establish through ISP 1.But in case of ISP 1 down, i have no VPN through ISP2.

So i need to configure VPN through ISP2 as well.

(In our case we have NATed ipsec traffic requested by remote datacentre)

LAN---ASA--ISP1----internet

|

--ISP2(backup)----internet

joe Bronze
Bronze

Re: CISCO ASA backup ISP and VPN

Exactly...

the ASA 5505 acting as an ezvpn client will establish a "lan-to-lan" tunnel when in "network extension mode" over either ISP 1 or 2 using the active default route to determine the pay to the ipsec peer.

You will need to config the other side as an IPSEC ezvpn server (either a PIX, ASA, or IOS router or VPN 3000 concentrator can do this).

Once the ASA 5505 connects, its private subnet will be learned and the tunnel will come up.

Read through that doc link I posted and let us know if we can be of a help. This weekend I'll have time to give out some sample configs from my security workbook if necessary.

-Joe

New Member

Re: CISCO ASA backup ISP and VPN

So you mean to say, once we configure L2L using intface "outside" (IP from ISP1), we can also configure the same L2L to fall back with ISP2 for interface "backup"

--

Is it just apply

isakmp enable outside

crypto map outside_map interface outside

and

isakmp enable backup

crypto map outside_map interface backup

279
Views
0
Helpful
4
Replies
CreatePlease login to create content