Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN configuration on ASA5510 with two WAN

Hello,

I would like to find any documentation how to configure IPSEC VPN, but unsuccessfully.

At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink

Thanks.

7 REPLIES

VPN configuration on ASA5510 with two WAN

Please let me know if my understanding wrong.... You want to create a IPSEC vpn connectivity between your branch office to a data centre.... in your office you have the lan connected to two WAN links say (Link 1 and Link 2) but in data centre you have only 1 WAN link in to the outside interface of the firewall. You want to make your IPSEC vpn between branch and DC for both the links from your brach office LAN.

New Member

VPN configuration on ASA5510 with two WAN

Yes, that is right, I want if primary uplink in office will fail, ipsec to data center will work through backup link.

Thanks

VPN configuration on ASA5510 with two WAN

Okay... great... what kind of IPSec VPN you are going to use.. Site to Site / Client to Site... get me the detailed info on these let me try to solution you on the same.

VPN configuration on ASA5510 with two WAN

if you have any network diagram representing the same... please share that as well...

New Member

Re: VPN configuration on ASA5510 with two WAN

Hello,

I woud like to use Site to Site ipsec VPN

At this moment I don't have  network diagram, but it looks like this:

                 ---primary (ext 1.1.1.1/29) uplink---

Office                                                              ---  internet --- Data center (ext 3.3.3.3/29, int 192.168.0.0/24)

                 ---backup (ext 2.2.2.2/29) uplink---

Thanks

VPN configuration on ASA5510 with two WAN

Hi Zigmunds,

The below configuration is just an example... you can try this out.... this should work as per my knowledge... pls work with this model and let me know if you get the results... hoping for a good result...

Site 1 with 2 Internet Links

=================================

Outbound Access-List

====================

access-list in-to-out extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list in-to-out extended permit if any

access-list in-to-out extended deny ip any any

!

access-group in-to-out in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_1_cryptomap2 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map_link1 10 match address Outside_1_cryptomap

crypto map Outside_map_link1 10 set peer 3.3.3.3

crypto map Outside_map_link1 10 set transform-set ESP-3DES-SHA

crypto map Outside_map_link1 interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map_link2 20 match address Outside_1_cryptomap2

crypto map Outside_map_link2 20 set peer 3.3.3.3

crypto map Outside_map_link2 20 set transform-set ESP-3DES-SHA1

crypto map Outside_map_link2 interface Outside1

crypto isakmp enable Outside1

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 3.3.3.3 type ipsec-l2l

tunnel-group 3.3.3.3 ipsec-attributes

pre-shared-key cisco

!

Data Centre

=============

access-list outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outbound extended permit if any

access-list outbound extended deny ip any any

!

access-group outbound in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list Outside_1_cryptomap1 extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

!

global (outside) 1

global (outside) 1

nat (inside) 2 access-list Outside_1_cryptomap1

nat (inside) 1 access-list Outside_1_cryptomap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 10 match address Outside_1_cryptomap

crypto map Outside_map 10 set peer 1.1.1.1

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key cisco

!

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 20 match address Outside_1_cryptomap1

crypto map Outside_map 20 set peer 1.1.1.1

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key cisco

!

New Member

Re: VPN configuration on ASA5510 with two WAN

Hello,

I found that in Datacenter side in VPN configuration I have to change only one line:

crypto map 1 set peer 1.1.1.1 2.2.2.2

Is it correct?

Thanks.

690
Views
0
Helpful
7
Replies