I'm trying to figure out if it is possible to setup redundant VPN tunnels for the remote end. One of my customers are purchasing devices for their remote locations that have both a wired and a wireless connection, each connection having it's own IP address. So the scenario would look something like:
Local Network: 192.168.1.0/24
External IP address: 188.8.131.52
Local Network: 192.168.2.0/24
External IP address wired: 184.108.40.206
External IP address wireless: 220.127.116.11
Is it possible to configure the ASA5510 to initiate a VPN tunnel to 18.104.22.168 by default, but if unable to establish a tunnel, attempt to connect to 22.214.171.124 instead?
You can set up the redundant VPN tunnels with the help of SLA monitoring. SLA monitoring defines which interface would be active and accordingly with which IP the tunnel would be negotiated. On your side, you can set the primary and backup peers with this command:
crypto map set peer
Along with this, we need to create two tunnel groups for both the peers.
On Remote end, SLA monitoring will be configured and crypto map should be enabled on both the interfaces
This can be achieved with the following commands:
crypto map interface primary
crypto map interface secondary
sla monitor x
type echo protocol ipIcmpEcho interface primary
sla monitor schedule x life forever start-time now
track 1 rtr x reachability
route primary 0.0.0.0 0.0.0.0 172.16.10.10 1
route backup 0.0.0.0 0.0.0.0 172.16.20.10 254
Please go through the given document that explains the Redundant ISP configuration in detail
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...