Forum Discussion
NimbostratusVPN redundancy behind F5 LC
We have the following structure, and existing have IPsec VPN build between different remote site with single public IP
Internal Network > ASA Firewall (IPSec VPN) > F5 LC > Internet < ASA Firewall (IPSec VPN)< Remote Network;
Internal Network ASA: Internal IP: 10.20.0.1
Internet IP
ISP A 202.66.1.1
ISP B 202.182.11.1
F5 LC NAT in iRule
Outbound 10.20.0.1 > 202.66.1.1
Inbound 202.66.1.1 > 10.20.0.1
202.182.11.1 > 10.20.0.1 (New add for test ISP B)
We are going to enhanced VPN redundancy to setup ISP b include in remote site VPN profiles.
I have setup test site with ASA firewall, test build with ISP A was without problem, but build using ISP B was not connected.
Any configuration i need to setup in F5 LC to recognized the outgoing traffic same as incoming traffic while build the IPsec VPN?
2 Replies
What_Lies_Bene1Cirrostratus
I'm not too familiar with LC but don't you need another (outbound) NAT for the ISP B IP address?
Jeff_BanksWe have a Local ASA with 2 ISP and a Remote ASA with 1 ISP. The remote ASA will establish a site to site VPN to local ASA ISP 1. If ISP 1 is unable to connect it will connect though ISP 2 automaticly.
Link Controller Create a Pool Name = VPN_Pool Member = “ip of cisco ASA outside interface” 10.20.1.0:0
Create 2 Virtual Server Name = ISP_1 Address = 1.1.1.1:0“Public IP from ISP_1” Type = Performance (Layer 4) Default Pool = VPN_Pool
Name = ISP_2 Address = 2.2.2.2:0“Public IP from ISP_2” Type = Performance (Layer 4) Default Pool = VPN_Pool
Remote Cisco ASA Create Site to Site VPN between remote ASA and Local ASA ISP 1 1.1.1
Remote Cisco ASA Command to allow site to Site VPN failover to 2nd ISP
This command assumes the following. There is only 1 site to site VPN on the remote ASA using Crypto map 1 Use the same pre-share-key password as ISP 1 VPN pre-share
crypto map outside_map 1 set peer 1.1.1.1 2.2.2.2 tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key ********** (Password)
