I have been looking on the internet for a sample configuration of a redundant site-to-site ipsec tunnel with multiple links but haven’t been able to find anything straightforward, the command here are for a Cisco ASA 5510 running IOS 8.3 and a Cisco ASA 5505 running the same version, here is short explanations of the networks i will be using before we get started:
192.168.1.0: internal network of the ASA 5510
192.168.2.0: internal network of the ASA 5505
10.0.1.0: Your first internet provider assigned network (connected ASA5510 outside-1)
10.0.2.0: Your second internet provider assigned network (connected to the ASA5510 outside-2)
172.168.1.0:Â Your third internet provider assigned network (connected to the ASA5505 outside)
Now let’s get to it!
First off configure your interfaces on the 5510:
interface Ethernet0/0
nameif inside
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside-1
ip address 10.0.1.2 255.255.255.0
interface Ethernet0/2
ip address 10.0.2.2 255.255.255.0
nameif outside-2
Create the objects that will prevent the traffic from being nated:
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside-1) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside-2) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0
Now create the access list that will tag interesting vpn traffic:
access-list outside_cryptomap0 extended ip permit 192.168.1.0Â 255.255.255.0 192.168.2.0 255.255.255.0
Create the security policies:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp
policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
Create the tunnel group (Phase 1 association):
tunnel-group 172.16.1.2 ipsec-attributes
pre-shared-key abc123
peer-id-validate nocheck
Create the cryptomaps (one per interface):
crypto map outside-1_map0 1 match address outside_cryptomap0
crypto map outside-1_map0 1 set peer 172.16.1.2
crypto map outside-1_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-2_map0 2 match address outside_cryptomap0
crypto map outside-2_map0 2 set peer 172.16.1.2
crypto map outside-2_map0 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
Map the cryptomaps to the interfaces and enable isakmp on the interfaces:
crypto map outside-1_map0 interface outside-1
crypto map outside-2_map0 interface outside-2
crypto isakmp enable outside-1
crypto isakmp enable outside-2
Before we go ahead and configure the routing table lets configure the sla monitor and tracking object
sla monitor 1
type echo protocol ipIcmpEcho 10.0.1.1 interface outside-1
num-packets 2
frequency 10
sla monitor schedule 1 life forever start-time now
Now lets configure the routes:
route outside-1 0 0Â 10.0.1.1 1 track 1
route outside-1 172.16.1.0 255.255.255.0Â 10.0.1.1 1 track 1
route outside-1 192.168.2.0 255.255.255.0Â 172.16.1.2 1
route outside-2 0 0Â 10.0.1.2 2
route outside-2 172.16.1.0 255.255.255.0Â 10.0.1.2 2
Now lets configure the ASA 5505 ,first, the interfaces:
interface vlan 1
nameif inside
ip address 192.168.2.1 255.255.255.0
interface vlan 2
nameif outside
ip address 172.16.1.2 255.255.255.0
interface Ethernet0
switchport mode access
switchport access vlan 1
interface Ethernet1
switchport mode access
switchport access vlan 2
Create the objects that will prevent the traffic from being nated:
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside-1) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0
Create the access list:
access-list outside_cryptomap0 extended ip permit 192.168.2.0Â 255.255.255.0 192.168.1.0 255.255.255.0
Create the security policies:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp
policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
Create the tunnel groups (one for each remote internet connections):
tunnel-group 10.0.1.2 ipsec-attributes
pre-shared-key abc123
peer-id-validate nocheck
tunnel-group 10.0.2.2 ipsec-attributes
pre-shared-key abc123
peer-id-validate nocheck
Create the dynamic cryptomap:
crypto dynamic-map outside_map0 1 match address outside_cryptomap0
crypto dynamic-map outside_map0 1 set transform-set ESP-AES-128-SHA ES P-AES-128-MD5 ESP
AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ES P-3DES-SHA ESP-3DES-MD5
ESP-DES-SHA ESP-DES-MD5
Map the dynamic cryptomap to a cryptomap:
crypto map outside_map 1 ipsec-isakmp dynamic outside_map0
Map the cryptomap to the interfaces and enable isakmp on the interfaces:
crypto map outside_map interface outside
crypto isakmp enable outside
Configure the sla monitor and tracking object:
sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.1 interface outside
num-packets 2
frequency 10
sla monitor schedule 1 life forever start-time now
Configure the routes:
route outside 192.168.1.0 255.255.255.0Â 10.0.1.2 1 track 1
route outside 192.168.1.0 255.255.255.0Â 10.1.2.2 2
route outside 0 0 172.16.1.1 1
Dont forget to source pings from an external device connect to an inside port or with the command ping inside X.X.X.X after enabling management access with the command management-access inside
Have fun