Octubre 24

Site-to-Site VPN with dual ISP for backup/redundancy

I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.

The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 3.3.3.1 is covered under this post.

Backup Site-to-Site VPN - Peering with 2 peer IPs on a single firewall

On FW1:

2.2.2.1 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.

1. Create tunnel group for the backup peer IP.

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
 ikev1 pre-shared-key cisco

2. Add the backup peer IP to the existing crypto map for 2.2.2.1 and make sure the connection-type is set to bi-directional (which is the default).

crypto map outside_map 10 set peer 2.2.2.1 3.3.3.1
crypto map outside_map 10 set connection-type bi-directional

On FW2:

Interface configuration on FW2 firewall.

interface GigabitEthernet0
 description Connected to ISP2 - Primary link
 nameif outside
 security-level 0
 ip address 2.2.2.1 255.255.255.0 
!
interface GigabitEthernet1
 description Connected to ISP3 - Backup link
 nameif outside2
 security-level 0
 ip address 3.3.3.1 255.255.255.0

1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.

sla monitor 10
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254

2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).

Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;

Existing config:

crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional

Additional config:

crypto ikev1 enable outside2
crypto map outside_map interface outside2

3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.

Existing NAT:

nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

Additional NAT:

nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface
Category: CISCO, VPN | Los comentarios están deshabilitados en Site-to-Site VPN with dual ISP for backup/redundancy