I am working on an ASA with dual ISP's. One primary and one backup. I configured IPSLA, tested and it works fine.
The customer has a VPN back to a Sonicwall using the primary ISP and is working fine. They want to use the Backup ISP for the VPN all the time while still using the Primary for internet access.
I put a static /32 route pointing traffic to the Sonicwall Peer IP using the Backup ISP gateway and changed ISKMP and Crypto map to use the Backup ISP. No other changes were made.
The tunnel comes up with no problem. Pings go from the Sonicwall side to the ASA side with no problem but pings from the ASA to the Sonicwall Time Out.
If I put it back to using the Primary ISP it works just fine.
just a note: The ASA does not have the SEC Plus License
Here is the original config:
All I changed on this is:
route remote 3.3.3.3 255.255.255.255 2.2.2.1
crypto map mymap interface remote
crypto isakmp enable remote
ASA# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA
enable password L/55vdNl.Ih6VNHi encrypted
passwd L/55vdNl.Ih6VNHi encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
!
interface Vlan2
no forward interface Vlan3
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.248
!
interface Vlan3
nameif remote
security-level 0
ip address 2.2.2.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone Eastern -5
clock summer-time Eastern recurring
same-security-traffic permit intra-interface
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any interface outside eq 5000
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.2.0 255.255.255.0
access-list 102 extended permit tcp any host x.x.x.x eq telnet
access-list 102 extended permit tcp any host x.x.x.x eq telnet
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.16.20.0 255.255.255.0
access-list NONAT extended permit ip 172.16.2.0 255.255.255.0 10.16.20.0 255.255.255.0
access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging asdm-buffer-size 512
logging monitor debugging
logging buffered debugging
logging trap warnings
logging history informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu remote 1500
ip local pool vpnpool 10.0.0.1-10.0.0.10
ip local pool vpnclient 10.16.20.1-10.16.20.5
ip local pool VPNDHCP 192.168.254.10-192.168.254.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (remote) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5000 192.168.1.232 3389 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.247 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.249 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.248 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.250 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route remote 0.0.0.0 0.0.0.0 2.2.2.1 100
route inside 172.16.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 4.4.4.4 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set NORMAL esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65535 set transform-set my-set
crypto map mymap 1 match address 103
crypto map mymap 1 set peer 3.3.3.3
crypto map mymap 1 set transform-set NORMAL
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
!
track 1 rtr 1 reachability
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global
The customer has a VPN back to a Sonicwall using the primary ISP and is working fine. They want to use the Backup ISP for the VPN all the time while still using the Primary for internet access.
I put a static /32 route pointing traffic to the Sonicwall Peer IP using the Backup ISP gateway and changed ISKMP and Crypto map to use the Backup ISP. No other changes were made.
The tunnel comes up with no problem. Pings go from the Sonicwall side to the ASA side with no problem but pings from the ASA to the Sonicwall Time Out.
If I put it back to using the Primary ISP it works just fine.
just a note: The ASA does not have the SEC Plus License
Here is the original config:
All I changed on this is:
route remote 3.3.3.3 255.255.255.255 2.2.2.1
crypto map mymap interface remote
crypto isakmp enable remote
ASA# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA
enable password L/55vdNl.Ih6VNHi encrypted
passwd L/55vdNl.Ih6VNHi encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
!
interface Vlan2
no forward interface Vlan3
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.248
!
interface Vlan3
nameif remote
security-level 0
ip address 2.2.2.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone Eastern -5
clock summer-time Eastern recurring
same-security-traffic permit intra-interface
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any host x.x.x.x eq 3389
access-list 101 extended permit tcp any interface outside eq 5000
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.2.0 255.255.255.0
access-list 102 extended permit tcp any host x.x.x.x eq telnet
access-list 102 extended permit tcp any host x.x.x.x eq telnet
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.16.20.0 255.255.255.0
access-list NONAT extended permit ip 172.16.2.0 255.255.255.0 10.16.20.0 255.255.255.0
access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging asdm-buffer-size 512
logging monitor debugging
logging buffered debugging
logging trap warnings
logging history informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu remote 1500
ip local pool vpnpool 10.0.0.1-10.0.0.10
ip local pool vpnclient 10.16.20.1-10.16.20.5
ip local pool VPNDHCP 192.168.254.10-192.168.254.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (remote) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5000 192.168.1.232 3389 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.247 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.249 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.248 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.1.250 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
route remote 0.0.0.0 0.0.0.0 2.2.2.1 100
route inside 172.16.2.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 4.4.4.4 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set NORMAL esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65535 set transform-set my-set
crypto map mymap 1 match address 103
crypto map mymap 1 set peer 3.3.3.3
crypto map mymap 1 set transform-set NORMAL
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
!
track 1 rtr 1 reachability
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
!
service-policy global_policy global