11-08-2010 08:55 AM
I have a situation where it is desirable to have multiple links from a Cisco router/firewall to a two Check Point firewalls. The Check Point firewalls both have the same encryption domain and they are not clustered. I know for all Check Point firewalls, MEP can be configured to support this type of configuration. However I do not see where it supports using other vendors specifically Cisco firewalls. Is there another way to achieve this level of redundancy?
11-11-2010 01:24 PM
Hi Troy,
On ASA you can configure a primary and a backup tunnel. In the crypto map you define 2 peers (in the same crypto map entry), the ASA will first try to establish a tunnel to the first peer, if that fails it will try the second.
e.g.
crypto map outside_map 20 set peer 10.10.10.1
crypto map outside_map 20 set peer 10.20.20.2
In this scenario it is recommended to configure the ASA as "originate-only" since it unexpected results may occur when the backup checkpoint
would initiate a tunnel.
I hope this helps, let me know.
Herbert
11-13-2010 02:49 PM
Thanks for your reply Herbert. However I do realise that this type of configuration is only supported between Cisco platforms. The configuration also includes a Check Point firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide