Cisco ASA back-up internet connection with site to site VPN

Some time ago a customer wanted an back-up solution on one of their offices for internet and VPN connection towards the datacentre. On both location they use Cisco ASA 5505 firewalls.
Configuration needed on the Office Firewall

Begin situation on the office Firewall:

#we have one internet connection with one default route
interface Vlan10
nameif Outside
security-level 0
ip address 10.10.10.1 255.255.255.0
#VLAN interface connected to physical interface e0/0
interface Ethernet0/0
switchport access vlan 10
#default route for internet
route Outside 0.0.0.0 0.0.0.0 10.10.10.10

First we need to configure a new vlan interface for the back-up internet connection and configure it to a physical interface:

interface Vlan20
nameif Back-up
security-level 0
ip address 20.20.20.1 255.255.255.0
interface Ethernet0/7
switchport access vlan 20

Next we need to make a SLA also called a tracked object, we will use this so we can monitor if the primary internet connection is Up:

#with this configuration we monitor 8.8.8.8 is reachable true interface Outsidesla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability

Now we have configured the SLA we can alter the primary default route to use the SLA and add a back-up default route to use if the primary will go down. We will do this by changing the priority.

#delete the primary default route
no route Outside 0.0.0.0 0.0.0.0 10.10.10.10
#Now add the new primary route whit a priority of 1 and the SLA (tracked) object 1
route Outside 0.0.0.0 0.0.0.0 10.10.10.10 1 track 1
#add the secondary route with a priority of 150
route Back-up 0.0.0.0 0.0.0.0 20.20.20.20 150

We’ve just implemented a back-up solution for internet traffic, for the site to site VPN we need to make some changes on the Datacentre firewall, there are no changes needed on the Office firewall for the VPN.
Configuration needed on the Datacentre Firewall
To make the site to site VPN between the Office and Datacentre redundant for the Office we need to make some changes in the VPN configuration on the Datacentre Firewall.
Begin situation on the Datacentre Firewall for the VPN:

#ACL for traffic that will be used for the VPN
access-list VPNtoOffice extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
#Crypto map configuration for the VPN
crypto map VPNtoOffice_map 1 match address Outside_cryptomap
crypto map VPNtoOffice_map 1 set peer 10.10.10.1
crypto map VPNtoOffice_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map VPNtoOffice_map interface Outside
#ike policy used for the VPN
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
#Group policy used for the VPN
group-policy GroupPolicy_10.10.10.1 internal
group-policy GroupPolicy_10.10.10.1 attributes
vpn-tunnel-protocol ikev1
#tunnel group configuration used for the VPN
tunnel-group 10.10.10.1 general-attributes
default-group-policy GroupPolicy_10.10.10.1
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key secret

To make the VPN connection between the Office and datacentre accept a VPN connection to be establish by both internet connections on the Office firewall we need to alter the crypto map peer configuration. Also we need to configure a group policy and tunnel group for the extra peer, keep in mind that the pre-shared-key will be the same.

#Alter the crypto map peer configuration to use both peers
no crypto map VPNtoOffice_map 1 set peer 10.10.10.1
crypto map VPNtoOffice_map 1 set peer 10.10.10.1 20.20.20.1
#group policy for the new peer
group-policy GroupPolicy_20.20.20.1 internal
group-policy GroupPolicy_20.20.20.1 attributes
vpn-tunnel-protocol ikev1
#Tunnel group configuration for the new peer
tunnel-group 20.20.20.1 general-attributes
default-group-policy GroupPolicy_20.20.20.1
tunnel-group 20.20.20.1 ipsec-attributes
ikev1 pre-shared-key secret

Now the VPN configuration will also accept a VPN to be establish from the back-up internet connection IP. We have created a Back-up solution for both the Internet and site to site VPN connection.
This blog is written by my colleague Samir Boctor. His linkedin profile will be added later. He’s reading these comments, or you can contact him by contacting me.

One comment

  • Nice post Samir, I recently did the same config at a customer on two routers without vpn. This looked like this:
    !
    !
    ip sla monitor 1
    type echo protocol ipIcmpEcho 10.0.0.2 source-ipaddr 192.168.1.1
    ip sla monitor schedule 1 life forever start-time now
    !
    !
    track 1 rtr 1
    !
    !
    ip route 4.4.4.4 255.255.255.255 10.0.0.2 track 1
    ip route 4.4.4.4 255.255.255.255 172.18.1.2
    !

Leave a Reply

Your email address will not be published. Required fields are marked *