Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA 5505 Peer Settings, originate only for a redundant peer IP?

Posted on 2014-11-24
2
614 Views
Last Modified: 2014-12-02
I have a 5505 with a vpn tunnel to the main site, this is the primary IP in the crypto map. The redundant IP in the crypto is to another firewall. The thought was that if the primary vpn tunnel goes down, or the primary IP is not reachable for any reason then the 5505 would automatically connect to the secondary redundant IP in the crypto map, the secondary firewall. But, upon further reading it seems that the connection type on the 5505 would need to be set as "connection-type originate-only". Is that true? I had it set as bidirectional. In the ASDM, when you edit the crypto map it says:

 "Uni-directional connection type policies are used for LAN-to-LAN redundancy. Tunnel policies of the "Originate Only" connection type may specify up to 10 redundant peers".

So if my purpose is for the 5505 to connect to a primary 5520, and if that isn't available to connect to another 5520, then I would use the "originate only" on the 5505? Would I change the 2 other crypto maps on the other firewall listening to "answer only"?

crypto map outside_map1 2 match address outside_cryptomap
crypto map outside_map1 2 set pfs group5
crypto map outside_map1 2 set peer "ASA 5520 #1 IP Address" "ASA 5520 #2 IP Address"
crypto map outside_map1 2 set ikev1 transform-set TransformSet
crypto map outside_map1 2 set nat-t-disable


Thanks.
0
Comment
Question by:tolinrome
2 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40463977
Whenever I've set this up before - I've never set originate-only and I've not had a problem, though I'm usually seting both peer addresses to two addresses on the SAME firewall (i.e, ISP failover)
0
 
LVL 7

Author Comment

by:tolinrome
ID: 40464450
Thanks, I'll take a look at the article you inserted.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question