Re: Redundant VPN links between Cisco firewall/router to Check P

troy.bennett · ‎11-08-2010

I have a situation where it is desirable to have multiple links from a Cisco router/firewall to a two Check Point firewalls. The Check Point firewalls both have the same encryption domain and they are not clustered. I know for all Check Point firewalls, MEP can be configured to support this type of configuration. However I do not see where it supports using other vendors specifically Cisco firewalls. Is there another way to achieve this level of redundancy?

Herbert Baerten · ‎11-11-2010

Hi Troy,

On ASA you can configure a primary and a backup tunnel. In the crypto map you define 2 peers (in the same crypto map entry), the ASA will first try to establish a tunnel to the first peer, if that fails it will try the second.

e.g.

crypto map outside_map 20 set peer 10.10.10.1
crypto map outside_map 20 set peer 10.20.20.2

In this scenario it is recommended to configure the ASA as "originate-only" since it unexpected results may occur when the backup checkpoint

would initiate a tunnel.

cfr. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

I hope this helps, let me know.

Herbert

troy.bennett · ‎11-13-2010

Thanks for your reply Herbert. However I do realise that this type of configuration is only supported between Cisco platforms. The configuration also includes a Check Point firewall.

Redundant VPN links between Cisco firewall/router to Check Point firewalls