Cisco IOS to PIX/ASA MultiPeer Config
Dear sirs, I need your help.
We have a Cisco PIX515E at the central site serving VPNs to spoke Cisco 871 routers. Config extracts follow.
We've dual homed the PIX using route tracking, making the secondary ISP just a hot standby path, and want to cause the 871s to automatically switch. Cisco IOS doc. suggests that multiple ipsec peer statements will do the trick, but I must not be configuring it correctly. When I force a switch to our secondary ISP, the 871's appear to keep banging away at our primary address and not trying to use the secondary peer path.
Our releases are PIX/ASA: 7.2(1-24) and IOS 12.4(9)T AdvIPServ.
**************************
!! Cisco 871, config for Spoke network, with:
!
! dhcp assigned outside address
! outbound pat, ntp,
! basic firewalling
! static vpn to PIX515 with manual selection Widomaker/Cox
! qos based on rfc2597/2598 differentiated services
! dhcp server with hosts below 100 excluded
!
version 12.4
!...
crypto isakmp key SharedSecret address w.w.w.w
crypto isakmp key SharedSecret address c.c.c.c
crypto isakmp keepalive 10 2 periodic
!...
!
crypto map hqvpn 11 ipsec-isakmp
set security-associaation idletime 120
set peer w.w.w.w preferred
set peer c.c.c.c
set transform-set ...
match address 120
qos pre-classify
!
! use f0-f4 as 4 port switch for vlan1 i/f
!
interface FastEthernet0
no ip address
!...
interface FastEthernet4
description Outside
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map hqvpn
service-policy output cbwfq_policy
!
interface Vlan1
description Inside
ip address 192.168.3.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall in
ip virtual-reassembly
ip tcp adjust-mss 1452
! service-policy output cbwfq_policy
!
ip classless
!
ip nat inside source list 121 interface FastEthernet4 overload
!
access-list 101 remark inbound
!...
access-list 120 remark select vpn traffic
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
!
access-list 121 remark nat all but vpn traffic
access-list 121 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
access-list 121 permit ip 192.168.3.0 0.0.0.255 any
!
end
**************************
PIX Version 7.2(1)24
!...
! Widomaker w.w.w.w our assigned address
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address w.w.w.w m.m.m.m
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!...
! Cox Cable c.c.c.c our assigned address
interface Ethernet3
speed 100
duplex full
nameif backup
security-level 0
ip address c.c.c.c m.m.m.m
!...
!
nat-control
!
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
!
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
!
route outside 0.0.0.0 0.0.0.0 w.w.w.gateway 1 track 1
route backup 0.0.0.0 0.0.0.0 c.c.c.gateway 244
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
!...
!
! winside is an address inside Widomaker (our primary ISP)
sla monitor 123
type echo protocol ipIcmpEcho w.w.w.winside interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
!
crypto ipsec transform-set fast ...
crypto dynamic-map dynmap 20 set transform-set fast
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface backup
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption ...
hash ...
group .
lifetime none
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto isakmp nat-traversal 60
!
track 1 rtr 123 reachability
!
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SharedSecret
!
!...
telnet 192.168.0.0 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
priority-queue outside
priority-queue inside
!
class-map voip
match dscp ef
class-map rtp2
match rtp 51000 256
class-map rtp1
match rtp 28000 256
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map qos
class voip
priority
class rtp2
priority
class rtp1
priority
class class-default
!
service-policy global_policy global
!
end
We have a Cisco PIX515E at the central site serving VPNs to spoke Cisco 871 routers. Config extracts follow.
We've dual homed the PIX using route tracking, making the secondary ISP just a hot standby path, and want to cause the 871s to automatically switch. Cisco IOS doc. suggests that multiple ipsec peer statements will do the trick, but I must not be configuring it correctly. When I force a switch to our secondary ISP, the 871's appear to keep banging away at our primary address and not trying to use the secondary peer path.
Our releases are PIX/ASA: 7.2(1-24) and IOS 12.4(9)T AdvIPServ.
**************************
!! Cisco 871, config for Spoke network, with:
!
! dhcp assigned outside address
! outbound pat, ntp,
! basic firewalling
! static vpn to PIX515 with manual selection Widomaker/Cox
! qos based on rfc2597/2598 differentiated services
! dhcp server with hosts below 100 excluded
!
version 12.4
!...
crypto isakmp key SharedSecret address w.w.w.w
crypto isakmp key SharedSecret address c.c.c.c
crypto isakmp keepalive 10 2 periodic
!...
!
crypto map hqvpn 11 ipsec-isakmp
set security-associaation idletime 120
set peer w.w.w.w preferred
set peer c.c.c.c
set transform-set ...
match address 120
qos pre-classify
!
! use f0-f4 as 4 port switch for vlan1 i/f
!
interface FastEthernet0
no ip address
!...
interface FastEthernet4
description Outside
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map hqvpn
service-policy output cbwfq_policy
!
interface Vlan1
description Inside
ip address 192.168.3.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip inspect firewall in
ip virtual-reassembly
ip tcp adjust-mss 1452
! service-policy output cbwfq_policy
!
ip classless
!
ip nat inside source list 121 interface FastEthernet4 overload
!
access-list 101 remark inbound
!...
access-list 120 remark select vpn traffic
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
!
access-list 121 remark nat all but vpn traffic
access-list 121 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.15.255
access-list 121 permit ip 192.168.3.0 0.0.0.255 any
!
end
**************************
PIX Version 7.2(1)24
!...
! Widomaker w.w.w.w our assigned address
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address w.w.w.w m.m.m.m
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!...
! Cox Cable c.c.c.c our assigned address
interface Ethernet3
speed 100
duplex full
nameif backup
security-level 0
ip address c.c.c.c m.m.m.m
!...
!
nat-control
!
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
!
access-group outside_access_in in interface outside
access-group backup_access_in in interface backup
!
route outside 0.0.0.0 0.0.0.0 w.w.w.gateway 1 track 1
route backup 0.0.0.0 0.0.0.0 c.c.c.gateway 244
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
!...
!
! winside is an address inside Widomaker (our primary ISP)
sla monitor 123
type echo protocol ipIcmpEcho w.w.w.winside interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
!
crypto ipsec transform-set fast ...
crypto dynamic-map dynmap 20 set transform-set fast
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface backup
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption ...
hash ...
group .
lifetime none
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto isakmp nat-traversal 60
!
track 1 rtr 123 reachability
!
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SharedSecret
!
!...
telnet 192.168.0.0 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
management-access inside
priority-queue outside
priority-queue inside
!
class-map voip
match dscp ef
class-map rtp2
match rtp 51000 256
class-map rtp1
match rtp 28000 256
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map qos
class voip
priority
class rtp2
priority
class rtp1
priority
class class-default
!
service-policy global_policy global
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nah. Just do it anyway and then tell them your phone company dropped a line (or there were sun spots which caused interference with communications satellites or something else that sounds really technical). :)
<-=+=->
ASKER
:-) Woohoo, it works! Way to go eagle eye SplinterCell5894!
Oh yeah, today was a really bad day for sunspots... good thing they didn't last long!
It's ok to accept a comment as an answer, isn't it? Or is there another protocol.
Darned, and I thought it was going to be a hard one. Had me stumped!
Oh yeah, today was a really bad day for sunspots... good thing they didn't last long!
It's ok to accept a comment as an answer, isn't it? Or is there another protocol.
Darned, and I thought it was going to be a hard one. Had me stumped!
Nope.... I think you actually have to select an answer to accept. Then you give it a grade.
If you look on the right side of the screen next to the correct posted answer, you'll see a button that says "Accept".
Then, you give a grade A, B or C. The grade you give determines the amount of points awarded.
Glad that worked for you!!!
<-=+=->
If you look on the right side of the screen next to the correct posted answer, you'll see a button that says "Accept".
Then, you give a grade A, B or C. The grade you give determines the amount of points awarded.
Glad that worked for you!!!
<-=+=->
By the way...
Here's a great web site for you: http://meyerweb.com/feeds/excuse/
You can actually subscribe to an RSS feed which gives you the Excuse of the Day. Here are the last few:
sunspots
failure of the AE-35 unit
neutrino interactions
solar flares
the lack of an American work ethic
tsunamis in the wave-division multiplexer
a squirrel chewed through the cables
an incorrectly polarized packet accelerator
nobody forwarded that memo
line noise from rats in the wall
La Nina
I like La Nina, solar flares and the incorrectly polarized packet accelerator, :)
<-=+=->
ASKER
Great catch on the preferred peer syntax. I agree, something's keeping dpd from doing it's job (probably me).
I'll try and report back. It's the production system (wish I had a some spare hardware to test with) so it'll take a maintenance interval to change and test.
Best regards,
Gary