Announcement

Collapse
No announcement yet.

Redundant Tunnels with ASA 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redundant Tunnels with ASA 5505

    Has anyone tried to create redundant vpn tunnels using the ASA. Our provider gave us 'two' links over a trunked port and one cable drop. so we have the ASA with two vlans 1 'internet' and one to main office. we currently have one tunnel up but would like to have redundancy. here is the current scrubbed config:


    ASA Version 7.2(4)

    !

    hostname XXXX0101025505
    enable password encrypted
    passwd encrypted
    names
    name X.X.67.0 Somecity_VLAN67
    name X.X.2.0 Somecity_VLAN2
    name X.X.7.0 Somecity_VLAN7
    name X.X.6.0 Somecity_VLAN6
    name X.X.8.0 Somecity_VLAN8
    name X.X.5.0 Somecity_VLAN5
    name X.X.1.0 Somecity_VLAN1
    name X.X.4.0 Somecity_VLAN4
    name X.X.32.0 UpperArlington_Subnet32
    !
    interface Vlan64
    nameif XXXXNetwork
    security-level 100
    ip address X.X.64.251 255.255.255.0

    interface Vlan1201
    nameif Internet
    security-level 0
    ip address x.x.x.130 255.0.0.0
    !
    interface Vlan1204
    nameif XXXX
    security-level 0
    ip address X.X.99.251 255.255.255.0
    !
    interface Ethernet0/0
    switchport trunk allowed vlan 1200-1204
    switchport mode trunk
    speed 100
    duplex full
    !
    interface Ethernet0/1
    switchport access vlan 64
    !
    interface Ethernet0/2
    switchport access vlan 64
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !

    ftp mode passive
    clock timezone UTC -4
    object-group network XXXXLocal
    description YYYY XXXX Office
    network-object X.X.64.0 255.255.255.0
    object-group network XxxxRemote
    description Remote network list for the YYYY Xxxxstown office.
    network-object Somecity_VLAN2 255.255.255.0
    network-object Somecity_VLAN67 255.255.255.0
    network-object Somecity_VLAN7 255.255.255.0
    network-object Somecity_VLAN1 255.255.255.0
    network-object Somecity_VLAN5 255.255.255.0
    network-object Somecity_VLAN6 255.255.255.0
    network-object Somecity_VLAN8 255.255.255.0
    network-object Somecity_VLAN4 255.255.255.0
    network-object Upper_Subnet32 255.255.255.0

    access-list crypto10 extended permit ip object-group XXXXLocal any
    access-list inside_outbound_nat0_acl extended permit ip object-group XXXXLocal any
    access-list YYYY extended permit tcp host X.X.99.3 any eq 50 log
    access-list YYYY extended permit tcp host X.X.99.3 any eq 51 log
    access-list YYYY extended permit udp host X.X.99.3 any eq isakmp log
    access-list YYYY extended permit ip host X.X.99.0 any log
    access-list YYYY extended permit icmp X.X.0.0 255.255.255.0 any
    access-list YYYY extended deny ip 14.2.6.0 255.255.255.0 any log
    access-list YYYY extended deny ip 127.0.0.0 255.255.255.0 any log
    access-list YYYY extended deny ip 10.0.0.0 255.255.255.0 any log
    access-list YYYY extended deny ip 0.0.0.0 255.0.0.0 any log
    access-list YYYY extended deny ip 192.168.0.0 255.255.0.0 any log
    access-list YYYY extended deny ip 192.0.2.0 255.255.255.0 any log
    access-list YYYY extended deny ip 169.254.0.0 255.255.0.0 any log
    access-list YYYY extended deny ip 224.0.0.0 224.0.0.0 any log
    access-list YYYY extended deny ip host 255.255.255.255 any log
    access-list YYYY extended deny icmp any any echo log
    access-list YYYY extended deny icmp any any redirect log
    access-list YYYY extended deny icmp any any mask-request log
    pager lines 24
    logging console critical
    logging asdm informational
    mtu XXXXNetwork 1500
    mtu Internet 1500
    mtu XXXX 1500
    ip verify reverse-path interface XXXX
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (XXXXNetwork) 0 access-list inside_outbound_nat0_acl
    access-group YYYY in interface XXXX
    route XXXX 0.0.0.0 0.0.0.0 X.X.99.251 1
    timeout xlate 0:30:00
    timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    no snmp-server enable
    crypto ipsec transform-set YYYYXXXX
    crypto map XXXX 10 match address crypto10
    crypto map XXXX 10 set peer X.X.99.3
    crypto map XXXX 10 set transform-set YYYYXXXX
    crypto map XXXX interface XXXX
    crypto isakmp enable XXXX
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 1
    ssh X.X.75.0 255.255.255.0 XXXXNetwork
    ssh X.X.64.0 255.255.255.0 XXXXNetwork
    ssh timeout 5
    console timeout 5
    management-access XXXXNetwork
    username mmmmm password eeeeeeee encrypted
    tunnel-group X.X.99.3 type ipsec-l2l
    tunnel-group X.X.99.3 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:
    : end
    XXXX0101025505#



    NOW...I would like to add these lines, will this work??

    no route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1
    route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1 track 1
    access-group YYYY in interface Internet
    route backup 0.0.0.0 0.0.0.0 x.x.x.130 254
    crypto ipsec transform-set YYYYInternet esp-3des esp-md5-hmac
    crypto map Internet 10 match address crypto10
    crypto map Internet 10 set peer x.x.x.7
    crypto map Internet 10 set transform-set YYYYInternet
    crypto map Internet interface Interface
    crypto isakmp enable Internet
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    tunnel-group x.x.x.7 type ipsec-l2l

    tunnel-group x.x.x.7 ipsec-attributes

    pre-shared-key *


    Lastly...can I have the acl applied to two interfaces so when the other link goes away, it will use the same acl??
Working...
X