• Advertisement

VPN tunnels between ASA 5510 and 2 PIX506.

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

VPN tunnels between ASA 5510 and 2 PIX506.

Postby Guest » Thu Dec 30, 2010 6:56 am

Hi,

Im trying to figure out the best way to connect to one of my sites, where I have 2 Pix 506 firewalls with 2 different ISPs for redundancy. In main building I have ASA 5510, so I had built 2 VPN tunnels and connected to both PIXs.  I’d like to be able to switch between these 2 tunnels, in case of service disruptions. So far I’m able to connect thru 1st tunnel I had built, but when I try to switch over to 2nd tunnel, I’m losing network connectivity (even though the tunnel is up). It seems that ASA stops forwarding packets as I see “Bytes Rx” but not “Bytes Tx” on ASA side. Is it a result of having 2 tunnels terminating to the same networks?? Is there better way to achieve redundancy in such configuration?

 

 

                            VPN Tunnel 1                                               VPN Tunnel1    Cisco Pix1

10.x.x.x     ASA   108.x.x.x                                                                                          Cisco 2950  192.168.x.x

                            VPN Tunnel 2                                               VPN Tunnel 2     Cisco Pix2

 

 

Thank you.

Guest
 

Advertisement

Re:VPN tunnels between ASA 5510 and 2 PIX506.

Postby Guest » Thu Dec 30, 2010 7:30 am

lHi,

 

You don have the two tunnels up at the same time correct?

I mean.. theres only one tunne up and passing traffic and if this tunnel goes down, it should use the other correct?

 

If this is so...

You need to configure both tunnels normally and by means of routing you give priority to one over the other.

If using static routes you can use the IP SLA tracking feature for this.

 

On the ASA and PIX sides.... are both tunnels terminated on the same physical interface or different interfaces?

 

Federico.

Guest
 

Re:VPN tunnels between ASA 5510 and 2 PIX506.

Postby Guest » Thu Dec 30, 2010 8:57 am

You are right. I have only 1 tunnel passing traffic... and if it goes down it should use the other one (but its not at this moment). I have 1 public interface on ASA, so both Pixes (tunnels) terminate to the same interface on ASA. Then looking from ASA side there are 2 tunnels being terminated to 2 different Pixes (separate firewalls with 2 different public interfaces/IPs).

Do you think that ASA doesnt know how to handle packets after the primary tunnel goes down? I simulated such scenario by shutting down one of the Pixes and ASA would not use the backup tunnel.

Also the inside interfaces on both Pixes are connected to Cisco 2950 switch. Should I use the same "inside" IP address on both? How could I configure Cisco 2950 switch to work properly in this config? I mean should I configure Pixes with different private addresses? and configure switch/PCs with 2 different gateways?


Could you provide sample config/documentation for  IP SLA tracking feature? Will it work in my set up?

 

 

thanks again

Guest
 

Re:VPN tunnels between ASA 5510 and 2 PIX506.

Postby Guest » Thu Dec 30, 2010 9:17 am

Lets see...

The ASA uses a single interface for the tunnel termination of both PIXes.

The ASA should establish one tunnel to the primary PIX and if it fails, it should establish a separate tunnel to the other PIX.

 

In this case, both PIXes will have the same VPN configuration pointing to the ASA.

Do you have both peers under the same crypto map on the ASA?

i.e

 

crypto map mymap 10 set peer x.x.x.x y.y.y.y   -->  x.x.x.x is the public IP of the 1st PIX and y.y.y.y is the public IP of the 2nd PIX.

 

So, the ASA will attempt to establish the tunnel first with one PIX and if it fails it will try the other one.

 

You don need the IP SLA feature on the ASA because you e using a single physical interface.

Theres no need for that on the PIXes, because there are two separate PIXes.

The IP SLA is used when one single device needs to control the status of more than one of its interfaces.

 

I don seem to find a configuration example, but let me know if you have any questions.

 

Federico.

Guest
 

Re:VPN tunnels between ASA 5510 and 2 PIX506.

Postby Guest » Thu Dec 30, 2010 9:36 am

Ok thanks. This is current config:

 



crypto map MM 3 match address A_DSL_cryptomap      //backup tunnel
crypto map MM 3 set peer 65.x.x.x
crypto map MM 3 set transform-set myset2
crypto map MM 4 match address A_Cable_cryptomap    // primary tunnel
crypto map MM 4 set peer 24.x.x.x
crypto map MM 4 set transform-set myset2

 

 

 

 

Should I just completely remove crypto map MM 3 (backup tunnel)? and modify crypto map MM4? i.e.

 

no crypto map MM 3 match address A_DSL_cryptomap

no crypto map MM 3 set peer 65.x.x.x

no crypto map MM 3 set transform-set myset2

 

no crypto map MM 4 set peer 24.x.x.x

 

crypto map MM 4 set peer 24.x.x.x 65.x.x.x

 

I really appriciate your help.

Guest
 



  • Advertisement


Similar topics

How to manage Licenses in ASA 5510
Forum: Cisco Security
Author: Anonymous
Replies: 0

Cisco ASA 5510 New deployment
Forum: Cisco Security
Author: Anonymous
Replies: 0

ASA 5510-Cisco 1811 IPSEC VPN
Forum: Cisco Security
Author: Anonymous
Replies: 0

SSL VPN ASA 5510 Any connect
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

Stateful Failover and WebVPN on 5510
Forum: Cisco Security
Author: Anonymous
Replies: 0


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 3 guests

cron