Redundant site-to-site ipsec tunnel with multiple ISP links using IOS 8.3

Posted: 18th August 2011 by raph in Cisco, Networking
0

I have been looking on the internet for a sample configuration of a redundant site-to-site ipsec tunnel with multiple links but haven’t been able to find anything straightforward, the command here are for a Cisco ASA 5510 running IOS 8.3 and a Cisco ASA 5505 running the same version, here is short explanations of the networks i will be using before we get started:

 

192.168.1.0: internal network of the ASA 5510

192.168.2.0: internal network of the ASA 5505

10.0.1.0: Your first internet provider assigned network (connected ASA5510 outside-1)

10.0.2.0: Your second internet provider assigned network (connected to the ASA5510 outside-2)

172.168.1.0: Your third internet provider assigned network (connected to the ASA5505 outside)

 

Now let’s get to it!

First off configure your interfaces on the 5510:

interface Ethernet0/0

nameif inside

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/1

nameif outside-1

ip address 10.0.1.2 255.255.255.0

interface Ethernet0/2

ip address 10.0.2.2 255.255.255.0

nameif outside-2

 

Create the objects that will prevent the traffic from being nated:

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside-1) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (inside,outside-2) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

 

Now create the access list that will tag interesting vpn traffic:

access-list outside_cryptomap0 extended ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

 

Create the security policies:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp identity address

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp

policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

 

Create the tunnel group (Phase 1 association):

tunnel-group 172.16.1.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

 

Create the cryptomaps (one per interface):

crypto map outside-1_map0 1 match address outside_cryptomap0
crypto map outside-1_map0 1 set peer 172.16.1.2
crypto map outside-1_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside-2_map0 2 match address outside_cryptomap0
crypto map outside-2_map0 2 set peer 172.16.1.2
crypto map outside-2_map0 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

 

Map the cryptomaps to the interfaces and enable isakmp on the interfaces:

crypto map outside-1_map0 interface outside-1

crypto map outside-2_map0 interface outside-2

crypto isakmp enable outside-1

crypto isakmp enable outside-2
Before we go ahead and configure the routing table lets configure the sla monitor and tracking object

sla monitor 1

type echo protocol ipIcmpEcho 10.0.1.1 interface outside-1

num-packets 2

frequency 10

sla monitor schedule 1 life forever start-time now

 

Now lets configure the routes:

route outside-1 0 0 10.0.1.1 1 track 1

route outside-1 172.16.1.0 255.255.255.0 10.0.1.1 1 track 1

route outside-1 192.168.2.0 255.255.255.0 172.16.1.2 1

route outside-2 0 0 10.0.1.2 2

route outside-2 172.16.1.0 255.255.255.0 10.0.1.2 2

 

Now lets configure the ASA 5505 ,first, the interfaces:

interface vlan 1

nameif inside

ip address 192.168.2.1 255.255.255.0

interface vlan 2

nameif outside

ip address 172.16.1.2 255.255.255.0

interface Ethernet0

switchport mode access

switchport access vlan 1

interface Ethernet1

switchport mode access

switchport access vlan 2

 

Create the objects that will prevent the traffic from being nated:

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside-1) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0

 

Create the access list:

access-list outside_cryptomap0 extended ip permit 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

 

Create the security policies:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp identity address

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp

policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

Create the tunnel groups (one for each remote internet connections):

tunnel-group 10.0.1.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

tunnel-group 10.0.2.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

 

Create the dynamic cryptomap:

crypto dynamic-map outside_map0 1 match address outside_cryptomap0

crypto dynamic-map outside_map0 1 set transform-set ESP-AES-128-SHA ES P-AES-128-MD5 ESP

AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ES P-3DES-SHA ESP-3DES-MD5

ESP-DES-SHA ESP-DES-MD5

 

Map the dynamic cryptomap to a cryptomap:

crypto map outside_map 1 ipsec-isakmp dynamic outside_map0
Map the cryptomap to the interfaces and enable isakmp on the interfaces:

crypto map outside_map interface outside

crypto isakmp enable outside

 

Configure the sla monitor and tracking object:

sla monitor 1

type echo protocol ipIcmpEcho 172.16.1.1 interface outside

num-packets 2

frequency 10

sla monitor schedule 1 life forever start-time now

 

Configure the routes:

route outside 192.168.1.0 255.255.255.0 10.0.1.2 1 track 1

route outside 192.168.1.0 255.255.255.0 10.1.2.2 2

route outside 0 0 172.16.1.1 1

Dont forget to source pings from an external device connect to an inside port or with the command ping inside X.X.X.X after enabling management access with the command management-access inside

Have fun

Comments are closed.