Cisco ASA VPN Failover Setup

Hi,

I really need the experts help on this one,

Head Office
I have 2x ASA 5510's in Active / Passive failover, I also have 2 Broadband connections Eth 0/0 and 0/2 these are also setup for failover.

4x Branch Offices
I have 4 VPN's to Cisco 1841 devices (Different locations) all 1841's have 2 broadband connections with failover setup. All VPN's are setup for the Public IP on Eth 0/0 of my ASA

How would I setup failover for my VPN's if the primary BB connection goes down on the ASA Eth 0/0.

Do I need to setup 4 extra VPN's so that when the Primary ASA Eth 0/0 is down, the other VPN's will automatically kick in using the second BB connection on Eth 0/2 ASA???

I hope I explained that correctly,

I really want to learn this one.

Thanks, Joe
LVL 1
joe90kaneAsked:
Who is Participating?
 
trinak96Connect With a Mentor Commented:
On your 1841's add a second peer address in your crypto map, which would be the secondary ASA.
Create a second crypto isakmp key XXXXXX address x.x.x.x   aswell.

If the first peer is not reachable, primary down, it will try the next peer in the list - which would be your secondary.

There are other methods but i'm presumming your BB suppliers are different and your external addressing is not in the same subnet ?
If their in the same subnet then hsrp across the external interfaces and set your 1841's to target the HSRP address.
0
 
joe90kaneAuthor Commented:
Thanks Trinak,

Here is my config on the 1841's

-----------------------------------------------------------
#sh run
Building configuration...

Current configuration : 4381 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
enable password 7 08224442061C544342595C51
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool branchoffice
   import all
   network 192.168.3.0 255.255.255.0
   netbios-name-server 192.168.1.50
   default-router 192.168.3.253
   dns-server 192.168.1.50 192.168.1.48
!
!
ip name-server 80.80.80.80
ip name-server 80.80.80.81
ip name-server 90.90.90.90
ip name-server 90.90.90.91
vpdn enable
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2
crypto isakmp key branchvpnkey address 80.80.80.80
!
!
crypto ipsec transform-set branch esp-des esp-md5-hmac
!
crypto map DigiVPN 5 ipsec-isakmp
 set peer 80.80.80.80
 set transform-set branchoffice
 match address 120
!
crypto map Magvpn 11 ipsec-isakmp
 set peer 80.80.80.80
 set transform-set branchoffice
 match address 120
!
bridge irb
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.3.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet0/1
 description $ETH-WAN$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DigiVPN
!
interface ATM0/0/0
 no ip address
 atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface BVI1
 mac-address 0000.0c60.a7d0
 backup delay 1 60
 backup interface FastEthernet0/1
 ip address ***.***.***.*** 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map branchvpn
!
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
-----------------------------------------------------------


Here is the config with the changes made, is this correct?
Also Do I need to do anything on the ASA to allow for this?


-----------------------------------------------------------

#sh run
Building configuration...

Current configuration : 4381 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
enable password 7 08224442061C544342595C51
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool branchoffice
   import all
   network 192.168.3.0 255.255.255.0
   netbios-name-server 192.168.1.50
   default-router 192.168.3.253
   dns-server 192.168.1.50 192.168.1.48
!
!
ip name-server 80.80.80.80
ip name-server 80.80.80.81
ip name-server 90.90.90.90
ip name-server 90.90.90.91
vpdn enable
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2

crypto isakmp key branchvpnkey address 80.80.80.80

crypto isakmp key branchvpnkey address 90.90.90.90

!
!
crypto ipsec transform-set branch esp-des esp-md5-hmac
!
crypto map DigiVPN 5 ipsec-isakmp
 set peer 80.80.80.80
 set peer 90.90.90.90
 set transform-set branchoffice
 match address 120
!
crypto map Magvpn 11 ipsec-isakmp
 set peer 80.80.80.80
 set peer 90.90.90.90
 set transform-set branchoffice
 match address 120
!
bridge irb
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.3.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet0/1
 description $ETH-WAN$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DigiVPN
!
interface ATM0/0/0
 no ip address
 atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface BVI1
 mac-address 0000.0c60.a7d0
 backup delay 1 60
 backup interface FastEthernet0/1
 ip address ***.***.***.*** 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map branchvpn
!
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
0
 
trinak96Connect With a Mentor Commented:
Joe,
Looks good to me apart from one thing. You have 2 crypto maps, dijivpn & magvpn. dijiVPN is the only one that will be used as it has the lower policy number (5), and your matching the same interesting traffic in access-list 120, so you can remove either of them really. I dont think you need to do anything on the ASA's, assuming their both configured correctly.

Try a test aswell. Get a user to do a continuous ping to one of your servers, then on ASA 1 shutdown the external interface (assuming nobody else is using it of course !), you should then see the VPN come up on ASA 2.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
joe90kaneAuthor Commented:
The two crypto maps are for the 2 Broadband connections. If one goes down the other will take over. Should I leave them there?
0
 
trinak96Connect With a Mentor Commented:
Havent got 2 external interfaces on my remote sites so I havent tried. If you can try using the same crypto map on both interfaces then that's the way to go - pet hate is wasted config !
Also check your routes, you dont appear to have a weighted route for the backup default route something like :

ip route 0.0.0.0 0.0.0.0 fa0/1
ip route 0.0.0.0 0.0.0.0 BVI1 25 -----> this would be used then if Fa0/1 is down, or which ever way round you want your primary/secondary links to be..
0
 
joe90kaneAuthor Commented:
Thanks for the help trinak, all configs updated and will post the test results at the weekend.

Thanks Again, Joe
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.