One client contacted us with a request for a VPN tunnel between their office and virtual data center at Cloud4U. They experienced unstable connections due to an issue with one of their providers. The typical setup is shown below:
To resolve this issue, we propose the following changes:
1. On the VMware Edge side,allow Edge connections with any IP address by choosing "Any" in the "Peer IP" setting. For security purposes, the firewall should only allow IPsec traffic from necessary addresses.
2. On the cisco asa side:
Interface settings:
interface GigabitEthernet0
description Connected to ISP2 - Primary link
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface GigabitEthernet1
description Connected to ISP3 - Backup link
nameif outside2
security-level 0
ip address 3.3.3.1 255.255.255.0
Monitor SLA settings to check the availability of the gateway of the primary provider. Adding a backup provider gateway with a weight of 254:
sla monitor 10
type echo protocol ipIcmpEcho 2.2.2.2 interface outside
frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254
Existing ipsec settings:
crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional
Additional ipsec settings:
crypto ikev1 enable outside2
crypto map outside_map interface outside2
Existing NAT rules:
nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
Additional NAT rules::
nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface
