08-05-2012 12:57 PM - edited 03-04-2019 05:10 PM
We are in the process of adding an additional ISP to our corporate network. When we do so the ASA we use will connect with our WAN sites (Cisco 2811's and I know we need to upgrade!) with the current NAT'd IP (7.7.7.7 for this question) and also the new one (8.8.8.8). I need to know a way to add the additional ISP Ip into our WAN site routers so it will accept either the existing IP or the new one. Here is our WAN site router current setup....
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key examplekey1! address 7.7.7.7
crypto isakmp keepalive 10 5 periodic
!
!
crypto ipsec transform-set aptset esp-aes 256 esp-sha-hmac
!
crypto map aptmap 10 ipsec-isakmp
set peer 7.7.7.7
set transform-set aptset
set pfs group5
match address IPSec
!
!
ip access-list extended IPSec
permit ip 10.2.2.0 0.0.0.255 any (Site IP range)
What would I add for the additional NAT'd IP (8.8.8.8)???
Note: the ASA that has all of our tunnels will be behind a load balancer so all it will be looking for is the tunnel coming into one of its interfaces.
Thanks in advance!
08-06-2012 07:54 AM
crypto isakmp key examplekey1! address 8.8.8.8
crypto map aptmap 20 ipsec-isakmp
set peer 8.8.8.8
set transform-set aptset
set pfs group5
match address newacl (would you be matching the same traffic? I don't think you could load-share the traffic)
08-06-2012 11:23 AM
Edison,
I could do it that way if needed. If I remember right there was someway to do the set peer with a name
set peer IPSEC
I just can't remember it...
08-06-2012 11:55 AM
The suggestion from Edison is the classic way to define a second tunnel on the 2811 router. And it works very well as long as the two tunnels go to separate destinations. But if I read your posts correctly it is the same single 2811 as source going to the same ASA as destination. In that case I do not believe that two separate tunnels will work. There is a way to have two peer statements within the same instance of the crypto map and I believe that is what you need for the 2811. The config might look something like this:
crypto map aptmap 10 ipsec-isakmp
set peer 7.7.7.7
set peer 8.8.8.8
set transform-set aptset
set pfs group5
match address IPSec
HTH
Rick
08-06-2012 12:06 PM
That would work but the question is would it attempt to build out two tunnels to the same device?
08-06-2012 03:34 PM
It is my understanding that if you configure what I have suggested with two peer statements in one instance of the crypto map that the router will build one tunnel (not two) and that it will try the first peer address. If the first peer address works then the tunnel comes up. If there is a problem with the first peer address then the router tries the second peer address. So in effect it gives you a fail over mechanism.
HTH
Rick
08-07-2012 12:42 PM
Is there a way anyone knows of to set up the IPSec so that the IP addresses are equal? Say, create a pool somehow and put both addresses in it then put the name of the pool in as the peer?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: