Cisco ASA back-up internet connection with site to site VPN
Some time ago a customer wanted an back-up solution on one of their offices for internet and VPN connection towards the datacentre. On both location they use Cisco ASA 5505 firewalls.
Configuration needed on the Office Firewall
Begin situation on the office Firewall:
| #we have one internet connection with one default route interface Vlan10 nameif Outside security-level 0 ip address 10.10.10.1 255.255.255.0 #VLAN interface connected to physical interface e0/0 interface Ethernet0/0 switchport access vlan 10 #default route for internet route Outside 0.0.0.0 0.0.0.0 10.10.10.10 |
First we need to configure a new vlan interface for the back-up internet connection and configure it to a physical interface:
| interface Vlan20 nameif Back-up security-level 0 ip address 20.20.20.1 255.255.255.0 interface Ethernet0/7 switchport access vlan 20 |
Next we need to make a SLA also called a tracked object, we will use this so we can monitor if the primary internet connection is Up:
| #with this configuration we monitor 8.8.8.8 is reachable true interface Outsidesla monitor 1 type echo protocol ipIcmpEcho 8.8.8.8 interface Outside sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability |
Now we have configured the SLA we can alter the primary default route to use the SLA and add a back-up default route to use if the primary will go down. We will do this by changing the priority.
| #delete the primary default route no route Outside 0.0.0.0 0.0.0.0 10.10.10.10 #Now add the new primary route whit a priority of 1 and the SLA (tracked) object 1 route Outside 0.0.0.0 0.0.0.0 10.10.10.10 1 track 1 #add the secondary route with a priority of 150 route Back-up 0.0.0.0 0.0.0.0 20.20.20.20 150 |
We’ve just implemented a back-up solution for internet traffic, for the site to site VPN we need to make some changes on the Datacentre firewall, there are no changes needed on the Office firewall for the VPN.
Configuration needed on the Datacentre Firewall
To make the site to site VPN between the Office and Datacentre redundant for the Office we need to make some changes in the VPN configuration on the Datacentre Firewall.
Begin situation on the Datacentre Firewall for the VPN:
| #ACL for traffic that will be used for the VPN access-list VPNtoOffice extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 #Crypto map configuration for the VPN crypto map VPNtoOffice_map 1 match address Outside_cryptomap crypto map VPNtoOffice_map 1 set peer 10.10.10.1 crypto map VPNtoOffice_map 1 set ikev1 transform-set ESP-AES-128-SHA crypto map VPNtoOffice_map interface Outside #ike policy used for the VPN crypto ikev1 enable Outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 #Group policy used for the VPN group-policy GroupPolicy_10.10.10.1 internal group-policy GroupPolicy_10.10.10.1 attributes vpn-tunnel-protocol ikev1 #tunnel group configuration used for the VPN tunnel-group 10.10.10.1 general-attributes default-group-policy GroupPolicy_10.10.10.1 tunnel-group 10.10.10.1 ipsec-attributes ikev1 pre-shared-key secret |
To make the VPN connection between the Office and datacentre accept a VPN connection to be establish by both internet connections on the Office firewall we need to alter the crypto map peer configuration. Also we need to configure a group policy and tunnel group for the extra peer, keep in mind that the pre-shared-key will be the same.
| #Alter the crypto map peer configuration to use both peers no crypto map VPNtoOffice_map 1 set peer 10.10.10.1 crypto map VPNtoOffice_map 1 set peer 10.10.10.1 20.20.20.1 #group policy for the new peer group-policy GroupPolicy_20.20.20.1 internal group-policy GroupPolicy_20.20.20.1 attributes vpn-tunnel-protocol ikev1 #Tunnel group configuration for the new peer tunnel-group 20.20.20.1 general-attributes default-group-policy GroupPolicy_20.20.20.1 tunnel-group 20.20.20.1 ipsec-attributes ikev1 pre-shared-key secret |
Now the VPN configuration will also accept a VPN to be establish from the back-up internet connection IP. We have created a Back-up solution for both the Internet and site to site VPN connection.
This blog is written by my colleague Samir Boctor. His linkedin profile will be added later. He’s reading these comments, or you can contact him by contacting me.
Nice post Samir, I recently did the same config at a customer on two routers without vpn. This looked like this:
!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 10.0.0.2 source-ipaddr 192.168.1.1
ip sla monitor schedule 1 life forever start-time now
!
!
track 1 rtr 1
!
!
ip route 4.4.4.4 255.255.255.255 10.0.0.2 track 1
ip route 4.4.4.4 255.255.255.255 172.18.1.2
!