could use some help with a set up im working on.
SiteA WAN IP: X.X.X.X
SiteB WAN IP-1: Y.Y.Y.Y
SiteB WAN IP-2: Z.Z.Z.Z
Site B is running a Sonicwall firewall with a primary and backup ISP link. Site A is running Cisco ASA 5520 with single WAN IP.
I am able to configure a working site-to-site vpn from SiteA to SiteB WAN IP-1 just fine. Its connects and its passing traffic just fine. I figured i could just add a second crypto map to SiteB WAN IP-2, just duplicating the configuration of the IP-1. If WAN IP-1 goes down, the ASA will bring up the VPN connection to WAN IP-2, but traffic is only one way, Site B to Site A only. The machines on SiteA side are able to receive and send, but the FW is not encrypting the traffic back, only decrypting.
here is a sample of the crypto maps:
access-list outside_3_cryptomap extended permit ip 172.16.19.0 255.255.255.224
192.168.168.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 172.16.19.0 255.255.255.224
192.168.168.0 255.255.255.0
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer Y.Y.Y.Y
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 3600
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer Z.Z.Z.Z
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
Cant use backup-peer here since the other side is not a cisco device.
would this configuration even work as i think it should?
SiteA WAN IP: X.X.X.X
SiteB WAN IP-1: Y.Y.Y.Y
SiteB WAN IP-2: Z.Z.Z.Z
Site B is running a Sonicwall firewall with a primary and backup ISP link. Site A is running Cisco ASA 5520 with single WAN IP.
I am able to configure a working site-to-site vpn from SiteA to SiteB WAN IP-1 just fine. Its connects and its passing traffic just fine. I figured i could just add a second crypto map to SiteB WAN IP-2, just duplicating the configuration of the IP-1. If WAN IP-1 goes down, the ASA will bring up the VPN connection to WAN IP-2, but traffic is only one way, Site B to Site A only. The machines on SiteA side are able to receive and send, but the FW is not encrypting the traffic back, only decrypting.
here is a sample of the crypto maps:
access-list outside_3_cryptomap extended permit ip 172.16.19.0 255.255.255.224
192.168.168.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 172.16.19.0 255.255.255.224
192.168.168.0 255.255.255.0
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer Y.Y.Y.Y
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 3600
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer Z.Z.Z.Z
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
Cant use backup-peer here since the other side is not a cisco device.
would this configuration even work as i think it should?