Has anyone tried to create redundant vpn tunnels using the ASA. Our provider gave us 'two' links over a trunked port and one cable drop. so we have the ASA with two vlans 1 'internet' and one to main office. we currently have one tunnel up but would like to have redundancy. here is the current scrubbed config:
ASA Version 7.2(4)
!
hostname XXXX0101025505
enable password encrypted
passwd encrypted
names
name X.X.67.0 Somecity_VLAN67
name X.X.2.0 Somecity_VLAN2
name X.X.7.0 Somecity_VLAN7
name X.X.6.0 Somecity_VLAN6
name X.X.8.0 Somecity_VLAN8
name X.X.5.0 Somecity_VLAN5
name X.X.1.0 Somecity_VLAN1
name X.X.4.0 Somecity_VLAN4
name X.X.32.0 UpperArlington_Subnet32
!
interface Vlan64
nameif XXXXNetwork
security-level 100
ip address X.X.64.251 255.255.255.0
interface Vlan1201
nameif Internet
security-level 0
ip address x.x.x.130 255.0.0.0
!
interface Vlan1204
nameif XXXX
security-level 0
ip address X.X.99.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone UTC -4
object-group network XXXXLocal
description YYYY XXXX Office
network-object X.X.64.0 255.255.255.0
object-group network XxxxRemote
description Remote network list for the YYYY Xxxxstown office.
network-object Somecity_VLAN2 255.255.255.0
network-object Somecity_VLAN67 255.255.255.0
network-object Somecity_VLAN7 255.255.255.0
network-object Somecity_VLAN1 255.255.255.0
network-object Somecity_VLAN5 255.255.255.0
network-object Somecity_VLAN6 255.255.255.0
network-object Somecity_VLAN8 255.255.255.0
network-object Somecity_VLAN4 255.255.255.0
network-object Upper_Subnet32 255.255.255.0
access-list crypto10 extended permit ip object-group XXXXLocal any
access-list inside_outbound_nat0_acl extended permit ip object-group XXXXLocal any
access-list YYYY extended permit tcp host X.X.99.3 any eq 50 log
access-list YYYY extended permit tcp host X.X.99.3 any eq 51 log
access-list YYYY extended permit udp host X.X.99.3 any eq isakmp log
access-list YYYY extended permit ip host X.X.99.0 any log
access-list YYYY extended permit icmp X.X.0.0 255.255.255.0 any
access-list YYYY extended deny ip 14.2.6.0 255.255.255.0 any log
access-list YYYY extended deny ip 127.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 10.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 0.0.0.0 255.0.0.0 any log
access-list YYYY extended deny ip 192.168.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 192.0.2.0 255.255.255.0 any log
access-list YYYY extended deny ip 169.254.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 224.0.0.0 224.0.0.0 any log
access-list YYYY extended deny ip host 255.255.255.255 any log
access-list YYYY extended deny icmp any any echo log
access-list YYYY extended deny icmp any any redirect log
access-list YYYY extended deny icmp any any mask-request log
pager lines 24
logging console critical
logging asdm informational
mtu XXXXNetwork 1500
mtu Internet 1500
mtu XXXX 1500
ip verify reverse-path interface XXXX
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (XXXXNetwork) 0 access-list inside_outbound_nat0_acl
access-group YYYY in interface XXXX
route XXXX 0.0.0.0 0.0.0.0 X.X.99.251 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set YYYYXXXX
crypto map XXXX 10 match address crypto10
crypto map XXXX 10 set peer X.X.99.3
crypto map XXXX 10 set transform-set YYYYXXXX
crypto map XXXX interface XXXX
crypto isakmp enable XXXX
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 1
ssh X.X.75.0 255.255.255.0 XXXXNetwork
ssh X.X.64.0 255.255.255.0 XXXXNetwork
ssh timeout 5
console timeout 5
management-access XXXXNetwork
username mmmmm password eeeeeeee encrypted
tunnel-group X.X.99.3 type ipsec-l2l
tunnel-group X.X.99.3 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:
: end
XXXX0101025505#
NOW...I would like to add these lines, will this work??
no route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1
route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1 track 1
access-group YYYY in interface Internet
route backup 0.0.0.0 0.0.0.0 x.x.x.130 254
crypto ipsec transform-set YYYYInternet esp-3des esp-md5-hmac
crypto map Internet 10 match address crypto10
crypto map Internet 10 set peer x.x.x.7
crypto map Internet 10 set transform-set YYYYInternet
crypto map Internet interface Interface
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group x.x.x.7 type ipsec-l2l
tunnel-group x.x.x.7 ipsec-attributes
pre-shared-key *
Lastly...can I have the acl applied to two interfaces so when the other link goes away, it will use the same acl??
North
ASA Version 7.2(4)
!
hostname XXXX0101025505
enable password encrypted
passwd encrypted
names
name X.X.67.0 Somecity_VLAN67
name X.X.2.0 Somecity_VLAN2
name X.X.7.0 Somecity_VLAN7
name X.X.6.0 Somecity_VLAN6
name X.X.8.0 Somecity_VLAN8
name X.X.5.0 Somecity_VLAN5
name X.X.1.0 Somecity_VLAN1
name X.X.4.0 Somecity_VLAN4
name X.X.32.0 UpperArlington_Subnet32
!
interface Vlan64
nameif XXXXNetwork
security-level 100
ip address X.X.64.251 255.255.255.0
interface Vlan1201
nameif Internet
security-level 0
ip address x.x.x.130 255.0.0.0
!
interface Vlan1204
nameif XXXX
security-level 0
ip address X.X.99.251 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 1200-1204
switchport mode trunk
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 64
!
interface Ethernet0/2
switchport access vlan 64
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone UTC -4
object-group network XXXXLocal
description YYYY XXXX Office
network-object X.X.64.0 255.255.255.0
object-group network XxxxRemote
description Remote network list for the YYYY Xxxxstown office.
network-object Somecity_VLAN2 255.255.255.0
network-object Somecity_VLAN67 255.255.255.0
network-object Somecity_VLAN7 255.255.255.0
network-object Somecity_VLAN1 255.255.255.0
network-object Somecity_VLAN5 255.255.255.0
network-object Somecity_VLAN6 255.255.255.0
network-object Somecity_VLAN8 255.255.255.0
network-object Somecity_VLAN4 255.255.255.0
network-object Upper_Subnet32 255.255.255.0
access-list crypto10 extended permit ip object-group XXXXLocal any
access-list inside_outbound_nat0_acl extended permit ip object-group XXXXLocal any
access-list YYYY extended permit tcp host X.X.99.3 any eq 50 log
access-list YYYY extended permit tcp host X.X.99.3 any eq 51 log
access-list YYYY extended permit udp host X.X.99.3 any eq isakmp log
access-list YYYY extended permit ip host X.X.99.0 any log
access-list YYYY extended permit icmp X.X.0.0 255.255.255.0 any
access-list YYYY extended deny ip 14.2.6.0 255.255.255.0 any log
access-list YYYY extended deny ip 127.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 10.0.0.0 255.255.255.0 any log
access-list YYYY extended deny ip 0.0.0.0 255.0.0.0 any log
access-list YYYY extended deny ip 192.168.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 192.0.2.0 255.255.255.0 any log
access-list YYYY extended deny ip 169.254.0.0 255.255.0.0 any log
access-list YYYY extended deny ip 224.0.0.0 224.0.0.0 any log
access-list YYYY extended deny ip host 255.255.255.255 any log
access-list YYYY extended deny icmp any any echo log
access-list YYYY extended deny icmp any any redirect log
access-list YYYY extended deny icmp any any mask-request log
pager lines 24
logging console critical
logging asdm informational
mtu XXXXNetwork 1500
mtu Internet 1500
mtu XXXX 1500
ip verify reverse-path interface XXXX
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (XXXXNetwork) 0 access-list inside_outbound_nat0_acl
access-group YYYY in interface XXXX
route XXXX 0.0.0.0 0.0.0.0 X.X.99.251 1
timeout xlate 0:30:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set YYYYXXXX
crypto map XXXX 10 match address crypto10
crypto map XXXX 10 set peer X.X.99.3
crypto map XXXX 10 set transform-set YYYYXXXX
crypto map XXXX interface XXXX
crypto isakmp enable XXXX
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 1
ssh X.X.75.0 255.255.255.0 XXXXNetwork
ssh X.X.64.0 255.255.255.0 XXXXNetwork
ssh timeout 5
console timeout 5
management-access XXXXNetwork
username mmmmm password eeeeeeee encrypted
tunnel-group X.X.99.3 type ipsec-l2l
tunnel-group X.X.99.3 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:
: end
XXXX0101025505#
NOW...I would like to add these lines, will this work??
no route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1
route YOUX 0.0.0.0 0.0.0.0 172.x.x.x 1 track 1
access-group YYYY in interface Internet
route backup 0.0.0.0 0.0.0.0 x.x.x.130 254
crypto ipsec transform-set YYYYInternet esp-3des esp-md5-hmac
crypto map Internet 10 match address crypto10
crypto map Internet 10 set peer x.x.x.7
crypto map Internet 10 set transform-set YYYYInternet
crypto map Internet interface Interface
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group x.x.x.7 type ipsec-l2l
tunnel-group x.x.x.7 ipsec-attributes
pre-shared-key *
Lastly...can I have the acl applied to two interfaces so when the other link goes away, it will use the same acl??
North
