Forum Discussion

david_tam_13229's avatar
david_tam_13229
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

VPN redundancy behind F5 LC

 

We have the following structure, and existing have IPsec VPN build between different remote site with single public IP

 

Internal Network > ASA Firewall (IPSec VPN) > F5 LC > Internet < ASA Firewall (IPSec VPN)< Remote Network;

 

 

Internal Network ASA: Internal IP: 10.20.0.1

 

 

Internet IP

 

ISP A 202.66.1.1

 

ISP B 202.182.11.1

 

 

F5 LC NAT in iRule

 

Outbound 10.20.0.1 > 202.66.1.1

 

 

Inbound 202.66.1.1 > 10.20.0.1

 

202.182.11.1 > 10.20.0.1 (New add for test ISP B)

 

 

We are going to enhanced VPN redundancy to setup ISP b include in remote site VPN profiles.

 

 

I have setup test site with ASA firewall, test build with ISP A was without problem, but build using ISP B was not connected.

 

 

Any configuration i need to setup in F5 LC to recognized the outgoing traffic same as incoming traffic while build the IPsec VPN?

 

 

APM
availability
security

2 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 02, 2013

    I'm not too familiar with LC but don't you need another (outbound) NAT for the ISP B IP address?

     

  • Jeff_Banks's avatar
    Jeff_Banks
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2014

    We have a Local ASA with 2 ISP and a Remote ASA with 1 ISP. The remote ASA will establish a site to site VPN to local ASA ISP 1. If ISP 1 is unable to connect it will connect though ISP 2 automaticly.

     

    Link Controller Create a Pool Name = VPN_Pool Member = “ip of cisco ASA outside interface” 10.20.1.0:0

     

    Create 2 Virtual Server Name = ISP_1 Address = 1.1.1.1:0“Public IP from ISP_1” Type = Performance (Layer 4) Default Pool = VPN_Pool

     

    Name = ISP_2 Address = 2.2.2.2:0“Public IP from ISP_2” Type = Performance (Layer 4) Default Pool = VPN_Pool

     

    Remote Cisco ASA Create Site to Site VPN between remote ASA and Local ASA ISP 1 1.1.1

     

    Remote Cisco ASA Command to allow site to Site VPN failover to 2nd ISP

     

    This command assumes the following. There is only 1 site to site VPN on the remote ASA using Crypto map 1 Use the same pre-share-key password as ISP 1 VPN pre-share

     

    crypto map outside_map 1 set peer 1.1.1.1 2.2.2.2 tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key ********** (Password)