Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

multi-ISP VPN with different but overlapping crypto-map's on each WAN

Hope this makes sense, please bear with me on the description... 

I have an ASA 5510 with 2 ISP links (wan1 and wan2).

I have different crypto-maps applied to each:
wan1 has tunnels to remote branch inside lan's (also behind ASA 5505's at the remote branches)
wan2 has a tunnel to Branch2 but the traffic is destined for the DMZ on that ASA, not the inside LAN.

That is to say, crypto map map_wan1 has a peer for Branch2, but the match address is the inside lan, and map_wan2 has a peer to the same Branch2 public IP, but the match address is for the DMZ subnet.

The reason for a separate tunnel on wan2 to branch2's dmz is the performance difference between the 2 ISP's.

Now I need to failover from wan1 to wan2 if ISP1 goes down (an sla monitor - that's no problem).

The "problem" is in having a map entry in map_wan2 with an identical configuration to its counterpart in map_wan1, but the tunnel should be built on wan1 most of the time, and only fail to wan2 if wan1 is offline.

There is no need for the tunnel currently on wan2 to branch2/dmz to fail over if ISP2 is down.

A pseudo-code example (SLA is configured and working on wan1/ISP1)

route wan1 0.0.0.0 0.0.0.0 <wan1-gw> 1 track 1
route wan2 0.0.0.0 0.0.0.0 <wan2-gw> 2

!
! note: a static route via wan2 for map_wan2 even when wan1 is default route
!
route wan2 <branch2>/32 <wan2-gw>
route wan2 10.0.0.0/24 <wan2-gw>

access-list acl_branch2_lan permit ip 192.168.1.0/24 192.168.2.0/24

access-list acl_branch3_lan permit ip 192.168.1.0/24 192.168.3.0/24

access-list acl_branch2_DMZ permit ip 192.168.1.0/24 10.0.0.0/24

crypto map map_wan1 10 set peer <branch2>
crypto map map_wan1 10 match address acl_branch2_lan
crypto map map_wan1 20 set peer <branch3>
crypto map map_wan1 20 match address acl_branch3_lan
crypto map map_wan1 interface wan1

! note: sequence #10 already exists and works
crypto map map_wan2 10 set peer <branch2>
crypto map map_wan2 10 match address acl_branch2_DMZ
!
! Can I add a "duplicate" of the peer/acl from map_wan1 to this map
crypto map map_wan2 50 set peer <branch2>
crypto map map_wan2 50 match address acl_branch2_lan
crypto map map_wan2 60 set peer <branch3>
crypto map map_wan2 60 match address acl_branch3_lan
crypto map map_wan2 interface wan2

22
Views
0
Helpful
0
Replies
CreatePlease to create content