I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.
The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 18.104.22.168 is covered under this post.
22.214.171.124 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.
1. Create tunnel group for the backup peer IP.
tunnel-group 126.96.36.199 type ipsec-l2l tunnel-group 188.8.131.52 ipsec-attributes ikev1 pre-shared-key cisco
2. Add the backup peer IP to the existing crypto map for 184.108.40.206 and make sure the connection-type is set to bi-directional (which is the default).
crypto map outside_map 10 set peer 220.127.116.11 18.104.22.168 crypto map outside_map 10 set connection-type bi-directional
Interface configuration on FW2 firewall.
interface GigabitEthernet0 description Connected to ISP2 - Primary link nameif outside security-level 0 ip address 22.214.171.124 255.255.255.0 ! interface GigabitEthernet1 description Connected to ISP3 - Backup link nameif outside2 security-level 0 ip address 126.96.36.199 255.255.255.0
1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.
sla monitor 10 type echo protocol ipIcmpEcho 188.8.131.52 interface outside frequency 5 sla monitor schedule 10 life forever start-time now ! track 1 rtr 10 reachability ! route outside 0.0.0.0 0.0.0.0 184.108.40.206 1 track 1 route outside2 0.0.0.0 0.0.0.0 220.127.116.11 254
2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).
Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;
crypto ikev1 enable outside crypto map outside_map interface outside crypto map outside_map 10 set connection-type bi-directional
crypto ikev1 enable outside2 crypto map outside_map interface outside2
3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.
nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup nat (inside,outside2) after-auto source dynamic any interface