Site-to-Site VPN with dual ISP for backup/redundancy


I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.

The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 3.3.3.1 is covered under this post.

Backup Site-to-Site VPN - Peering with 2 peer IPs on a single firewall

On FW1:

2.2.2.1 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.

1. Create tunnel group for the backup peer IP.

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
 ikev1 pre-shared-key cisco

2. Add the backup peer IP to the existing crypto map for 2.2.2.1 and make sure the connection-type is set to bi-directional (which is the default).

crypto map outside_map 10 set peer 2.2.2.1 3.3.3.1
crypto map outside_map 10 set connection-type bi-directional

On FW2:

Interface configuration on FW2 firewall.

interface GigabitEthernet0
 description Connected to ISP2 - Primary link
 nameif outside
 security-level 0
 ip address 2.2.2.1 255.255.255.0 
!
interface GigabitEthernet1
 description Connected to ISP3 - Backup link
 nameif outside2
 security-level 0
 ip address 3.3.3.1 255.255.255.0

1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.

sla monitor 10
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254

2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).

Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;

Existing config:

crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional

Additional config:

crypto ikev1 enable outside2
crypto map outside_map interface outside2

3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.

Existing NAT:

nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

Additional NAT:

nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface

Cisco documentation:

SLA Monitor

SLA Monitor Schedule

Backup Site-to-Site tunnel

Advertisements

9 thoughts on “Site-to-Site VPN with dual ISP for backup/redundancy

  1. I have an old Pix 6.3, any idea what the equivalent command is for the: crypto map outside_map 10 set connection-type bi-directional ??

  2. The ‘set connection-type’ command was introduced by Cisco since version 7.0. So, 6.3 code does not have a command for changing the connection-type and it’s safe to assume that it’s set to bi-directional by default.

    Here’s the link to that Cisco documentation which shows the version of software which supports this command;
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml#backup

    Hope that helps :)

  3. I do not know if it’s just me or if everyone else encountering issues with your
    website. It seems like some of the written text
    in your posts are running off the screen. Can somebody else please comment and let mme
    know if this iis happening to them too? This could be a issue wih my browser because I’ve had this
    happen before. Kudos

  4. Hey,

    Yes, the blog has a problem with IE and maybe even firefox. The CSS code that I have on my blog isn’t compatible with those browsers. Try using Chrome and it should be fine. :)
    In the near future I’ll try to get some time out of my hectic work schedule to fix this. It’s been on my to-do list for a long time now.

    Thanks,
    Shoaib

  5. Hi Shoeb,
    This post helped a lot.
    However, we are having issues with failover or primary to backup.
    Can you please review below config and advise if my understanding right or any modification is required.

    ***************************** Site A ************************************
    sla monitor 123
    type echo protocol ipIcmpEcho 8.8.8.8 interface outside
    num-packets 3
    frequency 10
    sla monitor schedule 123 life forever start-time now

    route outside 0.0.0.0 0.0.0.0 175.143.73.169 1 track 1
    route backup 0.0.0.0 0.0.0.0 218.111.150.225 254

    crypto ikev1 enable outside
    crypto ikev1 enable backup

    crypto map outside_map1 interface outside

    nat (inside,outside) source static FMYHQ FMYHQ destination static obj-175.143.45.186 obj-175.143.45.186 no-proxy-arp route-lookup
    nat (inside,any) source static FMYHQ FMYHQ destination static WarehouseRemote WarehouseRemote no-proxy-arp route-lookup
    nat (inside,any) source static any any destination static WarehouseRemote WarehouseRemote no-proxy-arp route-lookup

    access-list inside_access_in line 3 extended permit ip any4 object WarehouseRemote
    access-list outside_cryptomap_10 line 1 extended permit ip any4 object WarehouseRemote

    ******************* Site B ***************************
    tunnel-group 175.143.73.170 type ipsec-l2l
    tunnel-group 175.143.73.170 ipsec-attributes
    tunnel-group 218.111.150.226 type ipsec-l2l
    tunnel-group 218.111.150.226 ipsec-attributes

    crypto map BACKUP_map 1 match address BACKUP_1_cryptomap
    crypto map BACKUP_map 1 set pfs group1
    crypto map BACKUP_map 1 set peer 175.143.73.170 218.111.150.226
    crypto map BACKUP_map 1 set ikev1 transform-set ESP-3DES-SHA
    crypto map BACKUP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map BACKUP_map interface BACKUP

    ——————————————————————————————————-
    Regards,
    Sharad

  6. Kindly assist I’m not able to apply the command
    ASA5506 (config)# crypto map outside_map interface backup
    ERROR: crypto map has entries with reverse-route injection enabled
    Cannot attach to multiple interfaces

    is any other way to enable the crypto map at 2 interfaces at the same time and work this redundancy scenario.

    Thank You,
    Mohamed

  7. If possible, create a separate crypto-map without the reverse-route injection command.

    Reverse-route option is generally used for remote-access VPN IP pool. You can also manually add a static route for those local IP pools pointing to your outside interface and get rid of the reverse-route injection command in the crypto map.

    Hope that helps

    Regards,
    Shoaib

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s