Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Implementation and configuration of failover VPN tunnel between 2 ASAs
Even if we have only single point of failure at the edge it is well to have 2 upstream links. Having 2 upstream links is involved with having 2 VPN tunnels. If one of the tunnel goes down, the second takes over the tasks of the first one.
In this article we will configure failover VPN tunnel between 2 ASAs. This solution is scalable in case we have more “branches”. Below is a diagram of entire lab. Nothing complicated.
1. Interfaces configuration
interface GigabitEthernet0/0
nameif OUTSIDE1
security-level 0
ip address 1.0.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif OUTSIDE2
security-level 0
ip address 1.0.2.1 255.255.255.0
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 10.1.0.100 255.255.255.0
2. Marking “interesting traffic”, that will be encrypted and adding to the acccess list that will be used further in crypto map with “match” statement
object network Local-LAN
subnet 10.1.0.0 255.255.255.0
object network Remote-LAN
subnet 10.2.0.0 255.255.255.0
access-list VPN-TRAFFIC extended permit ip object Local-LAN object Remote-LAN
3. Identity NAT enables us avoiding NATting on the OUTSIDE1/2 interfaces. We actually configure NAT with keept of source addresses when we are going to reach remote VPN network.
nat (INSIDE,OUTSIDE1) source static Local-LAN Local-LAN destination static Remote-LAN Remote-LAN no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE2) source static Local-LAN Local-LAN destination static Remote-LAN Remote-LAN no-proxy-arp route-lookup
4. We just PAT any other traffic, that will not be encrypted on the OUTSIDE. This NAT rule has to be placed after “Identity NAT” so the best idea is putting its into the last “after-auto” section
nat (INSIDE,OUTSIDE1) after-auto source dynamic any interface
nat (INSIDE,OUTSIDE2) after-auto source dynamic any interface
5. We need 2 default routes, towards each of ISPs. The second is so called “floating route” and has higher metric that the first one. In case of failure will be put into the routing table immidiately. The “tracking object” will be created later.
route OUTSIDE1 0.0.0.0 0.0.0.0 1.0.1.100 1 track 1
route OUTSIDE2 0.0.0.0 0.0.0.0 1.0.2.100 2
6.Sysopt (system operations) commands turn on on ASA system commands that change its usual behaviour. The first command “sysopt connection tcpmss 1360″ forces TCP segment size not more than 1360, “sysopt connection preserve-vpn-flows” this command is crucial and allows connection state to be preserved when l2l tunnel flaps.
sysopt connection tcpmss 1360
sysopt connection preserve-vpn-flows
7. Now, let’s configure “SLA probe” on OUTSIDE1 interface that will be working as “Primary” VPN interface, to monitor external IP address 4.4.4.4
sla monitor 77
type echo protocol ipIcmpEcho 4.4.4.4 interface OUTSIDE1
timeout 6000
frequency 10
sla monitor schedule 77 life forever start-time now
8. Let’s proceed to ISAKMP configuration
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
9. And let’s configure tracking objects that will be attached to “primary vpn” default route.
track 1 rtr 1 reachability
9. We configure VPN Tunnel between 2 ASAs
tunnel-group 2.0.1.1 type ipsec-l2l
tunnel-group 2.0.1.1 ipsec-attributes
ikev1 pre-shared-key itbundle
tunnel-group 2.0.2.1 type ipsec-l2l
tunnel-group 2.0.2.1 ipsec-attributes
ikev1 pre-shared-key itbundle
10. and IPSEC with Crypto MAP that is attached to the OUTSIDE1 and OUTSIDE2
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address VPN-TRAFFIC
crypto map VPN 10 set peer 2.0.1.1 2.0.2.1
crypto map VPN 10 set ikev1 transform-set myset
crypto map VPN interface OUTSIDE1
crypto map VPN interface OUTSIDE2
11. Finally we attach crypto map to 2 OUTSIDE interfaces
crypto ikev1 enable OUTSIDE1
crypto ikev1 enable OUTSIDE2
ASA 2
interface GigabitEthernet0/0
nameif OUTSIDE1
security-level 0
ip address 2.0.1.1 255.255.255.0
interface GigabitEthernet0/1
nameif OUTSIDE2
security-level 0
ip address 2.0.2.1 255.255.255.0
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 10.2.0.100 255.255.255.0
object network Local-LAN
subnet 10.2.0.0 255.255.255.0
object network Remote-LAN
subnet 10.1.0.0 255.255.255.0
access-list VPN-TRAFFIC extended permit ip object Local-LAN object Remote-LAN
nat (INSIDE,OUTSIDE1) source static Local-LAN Local-LAN destination static
Remote-LAN Remote-LAN no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE2) source static Local-LAN Local-LAN destination static
Remote-LAN Remote-LAN no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE1) after-auto source dynamic any interface
nat (INSIDE,OUTSIDE2) after-auto source dynamic any interface
route OUTSIDE1 0.0.0.0 0.0.0.0 2.0.1.100 1 track 1
route OUTSIDE2 0.0.0.0 0.0.0.0 2.0.2.100 2
sysopt connection tcpmss 1360
sysopt connection preserve-vpn-flows
sla monitor 66
type echo protocol ipIcmpEcho 4.4.4.4 interface OUTSIDE1
timeout 6000
frequency 10
sla monitor schedule 66 life forever start-time now
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
track 1 rtr 1 reachability
tunnel-group 1.0.1.1 type ipsec-l2l
tunnel-group 1.0.1.1 ipsec-attributes
ikev1 pre-shared-key itbundle
tunnel-group 1.0.2.1 type ipsec-l2l
tunnel-group 1.0.2.1 ipsec-attributes
ikev1 pre-shared-key itbundle
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto map VPN 10 match address VPN-TRAFFIC
crypto map VPN 10 set peer 1.0.1.1 1.0.2.1
crypto map VPN 10 set ikev1 transform-set myset
crypto map VPN interface OUTSIDE1
crypto map VPN interface OUTSIDE2
crypto ikev1 enable OUTSIDE1
crypto ikev1 enable OUTSIDE2