Asa Vpn Load Balancing Configuration

1/6/2022by admin
  1. Cisco Asa Vpn Load Balancing
  2. Asa Vpn Load Balancing Configuration Software
  3. Asa Vpn Load Balancing Configuration App
  4. Cisco Asa Vpn Configuration

The administrator configures load-balancing on each security appliance. The following are the steps to configure load-balancing for remote access VPN.

Asa 5505 Vpn Configuration Guide And Asa Vpn Load Balancing Configuration Reviews: If you're looking for Asa 5505 Vpn Configuration Guide And Asa Vpn Load Bala. Asa Load Balancing Vpn And Aws Asa Vpn Configuration GET Asa Load Balancing Vpn And Aws Asa Vpn Configuration IN LOW PRICES. Cisco Asa Vpn Load Balancing Cluster Configurations And How To Configure Vpn On Iphone 5 See Price 2019Ads, Deals and Sales.

Step 1 Log in to the Cisco ASA using ASDM.

Step 2 On the main menu, choose Wizards.

Step 3 Choose the High Availability and Scalability Wizard.

Step 4 The High Availability and Scalability Wizard starts. The screen shown in Figure 12-69 is displayed. Click Configure VPN Cluster Load Balancing, as shown in Figure 12-69.

Figure 12-69 High Availability and Scalability Wizard

Figure 12-69 High Availability and Scalability Wizard

Step 5 Click Next.

Step 6 The screen shown in Figure 12-70 is displayed. Enter the cluster IP

address. The cluster IP address is the virtual address that VPN clients will use to connect to the cluster. In this example, the cluster IP address is 209.165.202.131.

Figure 12-70 VPN Cluster Load-Balancing Configuration

Figure 12-70 VPN Cluster Load-Balancing Configuration

Step 7 Enter a UDP port for load-balancing communication between all Cisco ASAs within the cluster. In this example, the default UDP port (9023) is used.

Step 8 Optionally, you can encrypt all VPN load-balancing traffic. Check the Enable IPsec encryption option to enable encryption.

Step 9 Configure a preshared secret. In this example, the preshared secret is 2wsx1qaz.

Cisco asa vpn load balancing

Step 10 The priority is set to 5. The higher the priority, the more commonly that this ASA will become the master of the cluster.

Step 11 The public interface is the outside interface in this example. The private interface is the inside interface, as shown in Figure 12-70.

Step 12 Click Next.

Step 13 A summary screen is displayed.

Step 14 Click Finish to apply the configuration to the Cisco ASA.

Example 12-13 shows the Cisco ASA remote access VPN and load-balancing CLI configuration.

Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration hostname asa-1 !

interface GigabitEthernet0/0 description Outside interface connected to the Internet nameif outside security-level 0

ip address 209.165.202.129 255.255.255.0

interface GigabitEthernet0/1 description Inside interface connected to corporate network nameif inside security-level 100

Asa Vpn Load Balancing Configuration

ip address 10.250.10.1 255.255.255.0

interface Management0/0 nameif management security-level 0

ip address 10.250.30.1 255.255.255.0 management-only

!Split tunneling ACL

access-list IPSEC-RA-GROUP_splitTunnelAcl standard permit 10.250.10.0 255.255.255.0 !ACL to bypass NAT for remote access VPN connections access-list inside_nat0_outbound extended permit ip 10.250.10.0 255.255.255.0 10.250.50.0 255.255.255.0

!IP address pool for remote access VPN clients ip local pool IPSec-Pool 10.250.50.1-10.250.50.254 mask 255.255.255.0 !

!NAT configuration nat (inside) 0 access-list inside_nat0_outbound !

!RADIUS Configuration for remote access VPN authentication aaa-server RADIUS-Server protocol radius aaa-server RADIUS-Server (management) host 172.18.85.181 timeout 5 key cisco123

!Crypto map configuration crypto ipsec transform-setESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside continues

Example 12-13 Cisco ASA Remote Access VPN and Load-Balancing Configuration (Continued) !

!ISAKMP enabled on the outside interface crypto isakmp enable outside !ISAKMP policy for Remote Access VPN crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5

lifetime 86400

!Load-balancing Configuration vpn load-balancing cluster key 2wsx1qaz cluster ip address 209.165.202.131 cluster encryption participate

!Remote Access Group Configuration group-policy IPSEC-RA-GROUP internal group-policy IPSEC-RA-GROUP attributes wins-server value 172.18.124.14 172.18.124.15 dns-server value 172.18.124.12 172.18.124.13 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value IPSEC-RA-GROUP_splitTunnelAcl default-domain value companyc.com tunnel-group IPSEC-RA-GROUP type remote-access tunnel-group IPSEC-RA-GROUP general-attributes address-pool IPSec-Pool authentication-server-group RADIUS-Server default-group-policy IPSEC-RA-GROUP tunnel-group IPSEC-RA-GROUP ipsec-attributes pre-shared-key *

Was this article helpful?

8

Configuration

Load Balancing IPSEC Traffic


Configuring load balancing IPSEC traffic across VPN gateways

The previous chapter shows how to load balance across three VPN gateways. The IPSEC protocol (Internet Protocol Security) enables you to load balance between gateways as well. Figure 8.1 shows inbound IPSEC traffic being load balanced to one of three destination VPN gateways.

Figure 8.1 VPN load balancing between VPN gateways

In this configuration, address translation is on, and IPSEC is in tunnel mode with ESP (Encapsulation Security Payload) specified. The hop shown by the blue arrow represents the IPSEC part of the transmission. A packet originating from Client1 with Client6 as its destination is encapsulated by the VPN gateway (VPN5) serving the client and traverses the Internet in this secure form. The BIG-IP then load balances the packet to one of three destination gateways: VPN1, VPN2, or VPN3. The VPN to which it is load balanced then becomes the established gateway, or tunnel, for packets from VPN5. Traffic from Client1, a separate VPNconnection, would be load balanced to a different destination VPN.

For this configuration to work, IPSEC requires certain special settings on the clients and servers, and on the BIG-IP:

  • On clients and servers, IPSEC must be configured in tunnel mode with ESP.
  • You must enable Any IP mode for the virtual servers on the BIG-IP.
  • Enable address translation on the BIG-IP.
  • Enable UDP on the BIG-IP to support internet key exchange (IKE) traffic.
  • Enable persistence across services on the BIG-IP.

Configuring IPSEC load balancing

First, configure your servers and clients for IPSEC tunnel mode with ESP. Refer to the documentation provided with the server or client. Be sure to use the same security association for all clients.

Next, complete the following tasks on the BIG-IP:

  • Create two load balancing pools
    Create two load balancing pools for the VPN destination gateways, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) forAny IP mode.
  • Create two virtual servers
    Create two virtual servers for referencing the two pools, one specifying port 500 for internet key exchange, one specifying a wildcard service (0) for Any IP (IPSEC) traffic.
  • Enable UDP
    Enable UDP for internet key exchange (IKE) traffic.
  • Enable persistence
    Enable persistence across services.

Defining the pools

To configure IPSEC load balancing, you first define one pool that load balances the VPN destination gateways with a wildcard port, and one pool that load balances the VPN destination gateways handling service 500 traffic.

To create the pools using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration notes

    Create a VPN pool named vpn_anyip. This pool contains the outside addresses of the three VPN destination gateways with service zero.

    Create a VPN pool named vpn_ike. This pool contains the outside addresses of the three VPN destination gateways with service 500.

    To define pools from the command line

    Use the following syntax to define the pools at the command line:

    b pool <pool_name> { member <member1> member < member2> ...> }

    To create the configuration described in this solution, type the following commands:

    member 10.1.10.1:0

    member 10.1.10.2:0

    member 10.1.10.3:0 }

    b pool vpn_ike {

    member 10.1.10.1:500

    member 10.1.10.2:500

    member 10.1.10.3:500 }

Defining the virtual servers

Cisco Asa Vpn Load Balancing

After you define the pools for the VPNs, you can define the following virtual servers, one to load balance Any IP (IPSEC) traffic, and one to load balance internet key exchange traffic.

To define the virtual server using the Configuration utility

Use this procedure for each BIG-IP that you need to configure.

  1. In the navigation pane, click Virtual Servers.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)
  4. Fill in the attributes for the virtual server. For additional information about this screen, click the Help button.
  5. For each of the two VPN load-balancing virtual servers:
  6. Click the Virtual Address Properties tab.
    The Virtual Address Properties screen opens.
  7. In the Any IP Traffic field, check the Enable box. Then click Apply.

    Configuration notes

    Create the virtual server 192.168.13.100:0 and use the pool vpn_anyip.

    Create the virtual server 192.168.13.100:500 and use the pool vpn_ike.

    To define the virtual servers from the command line

    Define the virtual servers from the command line as follows:

    b virtual 192.168.13.100:0 use pool vpn_anyip

    b virtual 192.168.13.100:500 use pool vpn_ike

    Then, enable Any IP for both virtual servers:

    b virtual 192.168.13.100 any_ip enable.

Enabling UDP

After you enable the Any IP feature for the virtual servers, enable UDP 500 so the BIG-IP can handle internet key exchange (IKE) traffic:

b service 500 udp enable

Enabling persistence across services

Finally, complete the configuration by setting up persistence across services on the BIG-IP:

Asa Vpn Load Balancing Configuration Software

b global persist_across_services enable

IPSEC VPN sandwich configuration

Asa Vpn Load Balancing Configuration App

You can load balance content servers to incoming IPSEC traffic by adding a second BIG-IP in a VPN sandwich configuration. Figure 8.2 shows the VPN sandwich configuration.

Figure 8.2 VPN load balancing between VPN gateways

When you set up the sandwich configuration, the configuration tasks you use are identical to those you use for the basic VPN IPSEC configuration. The exceptions are that you configure a load balancing pool and virtual server on the second BIG-IP. For example:

  • Create a VPN pool named server_pool. This pool contains as members the addresses of the four content servers, server1, server2, server3, and server4.
  • Create the virtual server 10.1.20.10:80 and use the pool server_pool.

Defining the additional pool

To create the pool using the Configuration utility

For the BIG-IP in Figure 8.2 labeled BIG-IP 2:

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. Click the Add button.
    The Add Pool screen opens.
  3. For each pool, enter the pool name and member addresses in the Add Pool screen. (For additional information about configuring a pool, click the Help button.)

    Configuration note

    Create a VPN pool named server_pool. This pool contains as members the addresses of the four content servers, server1, server2, server3, and server4.

    To define the pool from the command line

    Use the following syntax to define the pools from the command line:

    b pool <pool_name> { member <member1> member < member2> ...> }

    To create the configuration described in this solution, type the following command.

    b pool server_pool {

    member 10.1.20.1:80

    member 10.1.20.2:80

    member 10.1.20.3:80

    member 10.1.20.4:80 }

Defining the additional virtual server

To define the additional virtual server using the Configuration utility

For each BIG-IP to be configured:

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. Click the Add button.
    The Add Virtual Server screen opens.
  3. For each virtual server, enter the virtual server address and pool name. (For additional information about configuring a virtual server, click the Help button.)

    To define the virtual server from the command line

    To define the virtual server from the command line, type the following command.

    b virtual 10.1.20.10:80 use pool server_pool

Additional configuration options

Whenever a BIG-IP is configured, you have a number of options:

Cisco Asa Vpn Configuration

  • You have the option in all configurations to configure a BIG-IP redundantsystemfor fail-over. Refer to Chapter 5, Configuring a Redundant System, in the BIG-IP Reference Guide.
  • All configurations have health monitoringoptions. Refer to Health Monitors in Chapter 3, Configuring the High-Level Network, in the BIG-IP Reference Guide.
  • When you create a pool, there is an option to set up persistence and a choice of load balancing methods. Refer to Pools in the Chapter 3, Configuring the High-Level Network, in theBIG-IP Reference Guide.
Comments are closed.