One client contacted us with a request to provide a VPN tunnel reservation between the office and the virtual data center in Cloud4Y. The reason for the unstable connection was one of the providers on the client side. Typical scheme is shown below:
To automatically raise the tunnel through the backup provider, the following configuration changes are proposed:
1. On the VMware Edge side, in VPN settings allow Edge connections with any address. For this, choose "Any" in "Peer IP". For security purposes, Firewall allows only ipsec traffic from the necessary addresses.
2. On the cisco asa side:
Interface settings:
interface GigabitEthernet0
description Connected to ISP2 - Primary link
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface GigabitEthernet1
description Connected to ISP3 - Backup link
nameif outside2
security-level 0
ip address 3.3.3.1 255.255.255.0
Monitor SLA settings to check the availability of the gateway of the primary provider. Adding a backup provider gateway with a weight of 254:
sla monitor 10
type echo protocol ipIcmpEcho 2.2.2.2 interface outside
frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254
Existing ipsec settings:
crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional
Additional ipsec settings:
crypto ikev1 enable outside2
crypto map outside_map interface outside2
Existing NAT rules:
nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
Additional NAT rules::
nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface
- 115 Users Found This Useful