ASA VPN load-balancing

Jul.17, 2009 in IT Technology

vpn load-balancing (VCA) (PIX 7.0 does not support, as well as more than ASA5520 support only) (does not support A / A)

vpn load-balancing of the remote client only to initialize the following conversation valid (as well as remote vpn only able to provide easy vpn load)
• Cisco VPN Client (Release 3.0 and later)
• Cisco VPN 3 002 Hardware Client (Release 3.5 or later)
• Cisco PIX 501/506E when acting as an Easy VPN client.
Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including
LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but
they cannot participate in load balancing.

Principle
VCA need to create a remote connection by the virtual IP address, the cluster will be the main equipment to deal with the initial connection, inspection of the load cluster members, and sent back a load of cluster members in the lowest members of the physical IP address, the remote will then connected to the physical IP address, a cluster if a member of the failure, the remote should be able to use the DPD aware of this problem quickly, and then re-connect to the virtual IP address in order to be able to be redirected to the other cluster a member of the
Attention!!! ASA must be allowed to VCA information contained in any udp9023 interface via ACL and ASA activities must have a 3DES/AES license, and if not, any have been built in the ASA configuration will be ignored VCA
VCA in the ASA, including the establishment of some order
asa (config) # vpn load-balancing
asa (config-load-balancing) # cluster ip address virtual_ip_address
asa (config-load-balancing) # cluster port port_ #
asa (config-load-balancing) # cluster encryption
asa (config-load-balancing) # cluster key shared_secret_key
asa (config-load-balancing) # interface (lbprivate | lbpublic) locgical_interface_name
asa (config-load-balancing) # nat ip_address
asa (config-load-balancing) # priority priority_ #
asa (config-load-balancing) # participate

cluster ip address virtual_ip_address — the definition of a virtual IP. remote device will use this address as the server address EASYVPN
cluster port port_ # — load balancing is the default port number udp 9023, you can use this command to change the words to all members of the need for change
default cluster encryption — all cluster members of the VCA to send an express message, the command to start the VCA encryption
cluster key shared_secret_key — configuration information used to encrypt the encryption key
interface (lbprivate | lbpublic) locgical_interface_name — specify the interface on the ASA and lbprivate should go as well as the interface and associated lbpublic
nat ip_address — only if a NAT device is located between the rough and remote users when used, it designated the public network interface of the ASA’s address
The designation of priority priority_ #—- devices to be elected committee ACTIVE, the more the number of higher priority, 5520 is the default 5,5540 default is 7
Start load balancing participate —
Case
Long-range need to connect to 192.1.1.3, the default will be to deal with circumstances ASA1
ASA1
interface g0 / 1
ip address 192.1.1.1 255.255.255.0
nameif public
security-level 0

interface g0 / 2
ip address 192.168.1.1 255.255.255.0
nameif private
security-level 100

asa (config) # vpn load-balancing
asa (config-load-balancing) # cluster ip address 192.1.1.3
asa (config-load-balancing) # cluster encryption
asa (config-load-balancing) # cluster key 123cisco
asa (config-load-balancing) # interface lbprivate private
asa (config-load-balancing) # interface lbpublic public
asa (config-load-balancing) # priority 10
asa (config-load-balancing) # participate

ASA2
interface g0 / 1
ip address 192.1.1.2 255.255.255.0
nameif public
security-level 0

interface g0 / 2
ip address 192.168.1.2 255.255.255.0
nameif private
security-level 100

Tags: ASA, load-balancing, VPN load-balancing

Welcome

Hi, Visitor.
Welcome To My Blog. It's The IT Certification World. Let's Work Together!

Recent Posts
Blogroll
Archives
- September 2010 (1)
- June 2010 (3)
- May 2010 (11)
- April 2010 (1)
- March 2010 (7)
- January 2010 (4)
- November 2009 (1)
- October 2009 (4)
- September 2009 (4)
- August 2009 (2)
- July 2009 (13)
- June 2009 (17)
- May 2009 (8)
- April 2009 (24)
- March 2009 (58)
- February 2009 (70)
- January 2009 (28)
- December 2008 (43)
- November 2008 (21)

IT Certification

Including any IT exam information

ASA VPN load-balancing

Leave a Reply

Welcome

Categories

Recent Posts

Blogroll

Archives