multi-ISP VPN with different but overlapping crypto-map's on each WAN
Hope this makes sense, please bear with me on the description...
I have an ASA 5510 with 2 ISP links (wan1 and wan2).
I have different crypto-maps applied to each: wan1 has tunnels to remote branch inside lan's (also behind ASA 5505's at the remote branches) wan2 has a tunnel to Branch2 but the traffic is destined for the DMZ on that ASA, not the inside LAN.
That is to say, crypto map map_wan1 has a peer for Branch2, but the match address is the inside lan, and map_wan2 has a peer to the same Branch2 public IP, but the match address is for the DMZ subnet.
The reason for a separate tunnel on wan2 to branch2's dmz is the performance difference between the 2 ISP's.
Now I need to failover from wan1 to wan2 if ISP1 goes down (an sla monitor - that's no problem).
The "problem" is in having a map entry in map_wan2 with an identical configuration to its counterpart in map_wan1, but the tunnel should be built on wan1 most of the time, and only fail to wan2 if wan1 is offline.
There is no need for the tunnel currently on wan2 to branch2/dmz to fail over if ISP2 is down.
A pseudo-code example (SLA is configured and working on wan1/ISP1)
! ! note: a static route via wan2 for map_wan2 even when wan1 is default route ! route wan2 <branch2>/32 <wan2-gw> route wan2 10.0.0.0/24 <wan2-gw>
access-list acl_branch2_lan permit ip 192.168.1.0/24 192.168.2.0/24
access-list acl_branch3_lan permit ip 192.168.1.0/24 192.168.3.0/24
access-list acl_branch2_DMZ permit ip 192.168.1.0/24 10.0.0.0/24
crypto map map_wan1 10 set peer <branch2> crypto map map_wan1 10 match address acl_branch2_lan crypto map map_wan1 20 set peer <branch3> crypto map map_wan1 20 match address acl_branch3_lan crypto map map_wan1 interface wan1
! note: sequence #10 already exists and works crypto map map_wan2 10 set peer <branch2> crypto map map_wan2 10 match address acl_branch2_DMZ ! ! Can I add a "duplicate" of the peer/acl from map_wan1 to this map crypto map map_wan2 50 set peer <branch2> crypto map map_wan2 50 match address acl_branch2_lan crypto map map_wan2 60 set peer <branch3> crypto map map_wan2 60 match address acl_branch3_lan crypto map map_wan2 interface wan2
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...