[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA VPN Failover Setup

Posted on 2007-09-28
6
Medium Priority
?
4,507 Views
Last Modified: 2013-11-16
Hi,

I really need the experts help on this one,

Head Office
I have 2x ASA 5510's in Active / Passive failover, I also have 2 Broadband connections Eth 0/0 and 0/2 these are also setup for failover.

4x Branch Offices
I have 4 VPN's to Cisco 1841 devices (Different locations) all 1841's have 2 broadband connections with failover setup. All VPN's are setup for the Public IP on Eth 0/0 of my ASA

How would I setup failover for my VPN's if the primary BB connection goes down on the ASA Eth 0/0.

Do I need to setup 4 extra VPN's so that when the Primary ASA Eth 0/0 is down, the other VPN's will automatically kick in using the second BB connection on Eth 0/2 ASA???

I hope I explained that correctly,

I really want to learn this one.

Thanks, Joe
0
Comment
Question by:joe90kane
  • 3
  • 3
6 Comments
 
LVL 9

Accepted Solution

by:
trinak96 earned 2000 total points
ID: 19978660
On your 1841's add a second peer address in your crypto map, which would be the secondary ASA.
Create a second crypto isakmp key XXXXXX address x.x.x.x   aswell.

If the first peer is not reachable, primary down, it will try the next peer in the list - which would be your secondary.

There are other methods but i'm presumming your BB suppliers are different and your external addressing is not in the same subnet ?
If their in the same subnet then hsrp across the external interfaces and set your 1841's to target the HSRP address.
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19979069
Thanks Trinak,

Here is my config on the 1841's

-----------------------------------------------------------
#sh run
Building configuration...

Current configuration : 4381 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
enable password 7 08224442061C544342595C51
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool branchoffice
   import all
   network 192.168.3.0 255.255.255.0
   netbios-name-server 192.168.1.50
   default-router 192.168.3.253
   dns-server 192.168.1.50 192.168.1.48
!
!
ip name-server 80.80.80.80
ip name-server 80.80.80.81
ip name-server 90.90.90.90
ip name-server 90.90.90.91
vpdn enable
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2
crypto isakmp key branchvpnkey address 80.80.80.80
!
!
crypto ipsec transform-set branch esp-des esp-md5-hmac
!
crypto map DigiVPN 5 ipsec-isakmp
 set peer 80.80.80.80
 set transform-set branchoffice
 match address 120
!
crypto map Magvpn 11 ipsec-isakmp
 set peer 80.80.80.80
 set transform-set branchoffice
 match address 120
!
bridge irb
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.3.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet0/1
 description $ETH-WAN$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DigiVPN
!
interface ATM0/0/0
 no ip address
 atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface BVI1
 mac-address 0000.0c60.a7d0
 backup delay 1 60
 backup interface FastEthernet0/1
 ip address ***.***.***.*** 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map branchvpn
!
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
-----------------------------------------------------------


Here is the config with the changes made, is this correct?
Also Do I need to do anything on the ASA to allow for this?


-----------------------------------------------------------

#sh run
Building configuration...

Current configuration : 4381 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
enable password 7 08224442061C544342595C51
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool branchoffice
   import all
   network 192.168.3.0 255.255.255.0
   netbios-name-server 192.168.1.50
   default-router 192.168.3.253
   dns-server 192.168.1.50 192.168.1.48
!
!
ip name-server 80.80.80.80
ip name-server 80.80.80.81
ip name-server 90.90.90.90
ip name-server 90.90.90.91
vpdn enable
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
 group 2

crypto isakmp key branchvpnkey address 80.80.80.80

crypto isakmp key branchvpnkey address 90.90.90.90

!
!
crypto ipsec transform-set branch esp-des esp-md5-hmac
!
crypto map DigiVPN 5 ipsec-isakmp
 set peer 80.80.80.80
 set peer 90.90.90.90
 set transform-set branchoffice
 match address 120
!
crypto map Magvpn 11 ipsec-isakmp
 set peer 80.80.80.80
 set peer 90.90.90.90
 set transform-set branchoffice
 match address 120
!
bridge irb
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$
 ip address 192.168.3.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet0/1
 description $ETH-WAN$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DigiVPN
!
interface ATM0/0/0
 no ip address
 atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 0/35
  encapsulation aal5snap
 !
!
interface BVI1
 mac-address 0000.0c60.a7d0
 backup delay 1 60
 backup interface FastEthernet0/1
 ip address ***.***.***.*** 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 crypto map branchvpn
!
ip route 0.0.0.0 0.0.0.0 ***.***.***.***
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
0
 
LVL 9

Assisted Solution

by:trinak96
trinak96 earned 2000 total points
ID: 19979142
Joe,
Looks good to me apart from one thing. You have 2 crypto maps, dijivpn & magvpn. dijiVPN is the only one that will be used as it has the lower policy number (5), and your matching the same interesting traffic in access-list 120, so you can remove either of them really. I dont think you need to do anything on the ASA's, assuming their both configured correctly.

Try a test aswell. Get a user to do a continuous ping to one of your servers, then on ASA 1 shutdown the external interface (assuming nobody else is using it of course !), you should then see the VPN come up on ASA 2.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:joe90kane
ID: 19979620
The two crypto maps are for the 2 Broadband connections. If one goes down the other will take over. Should I leave them there?
0
 
LVL 9

Assisted Solution

by:trinak96
trinak96 earned 2000 total points
ID: 19979711
Havent got 2 external interfaces on my remote sites so I havent tried. If you can try using the same crypto map on both interfaces then that's the way to go - pet hate is wasted config !
Also check your routes, you dont appear to have a weighted route for the backup default route something like :

ip route 0.0.0.0 0.0.0.0 fa0/1
ip route 0.0.0.0 0.0.0.0 BVI1 25 -----> this would be used then if Fa0/1 is down, or which ever way round you want your primary/secondary links to be..
0
 
LVL 1

Author Comment

by:joe90kane
ID: 19998415
Thanks for the help trinak, all configs updated and will post the test results at the weekend.

Thanks Again, Joe
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 23 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question