2 провайдера, VPN. 2 офиса cisco asa 5550

@gvov80 · Регистрация: 30.12.2018

Студворк — интернет-сервис помощи студентам

Здравствуйте, имеется схема подключения (прилагается)
, также конфиги двух asa (FW1 и FW2).

Схема

На текущий момент подключено по одному провайдеру и организована сеть Site to Site VPN, есть второй провайдер и нужно зарезервировать каналы через второго провайдера. Что нужно добавить в конфиги чтоб схема заработала?

Вот текущие рабочие конфиги:

: Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
ASA Version 9.1(7)16
!
hostname fw1
enable password *** encrypted
passwd *** encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside2
security-level 0
ip address 1.1.2.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
nameif manage
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
access-list outside_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu manage 1500
mtu outside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 2.2.1.2 255.255.255.255 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 manage
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 2.2.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal 3DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.1.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 manage
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_2.2.1.2 internal
group-policy GroupPolicy_2.2.1.2 attributes
vpn-tunnel-protocol ikev1 ikev2
username root password *** encrypted
tunnel-group 2.2.1.2 type ipsec-l2l
tunnel-group 2.2.1.2 general-attributes
default-group-policy GroupPolicy_2.2.1.2
tunnel-group 2.2.1.2 ipsec-attributes
ikev1 pre-shared-key 12345678
ikev2 remote-authentication pre-shared-key 12345678
ikev2 local-authentication pre-shared-key 12345678
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/se... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5a137061e6083133afe494f5b 9f6cd33
: end

и

: Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
!
ASA Version 9.1(7)16
!
hostname fw2
enable password *** encrypted
passwd *** encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2.2.1.2 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
nameif outside2
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface Management0/0
nameif manage
security-level 100
ip address 192.168.1.2 255.255.255.0
!
ftp mode passive
access-list outside_cryptomap extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu manage 1500
mtu outside2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 2.2.1.1 1
route outside 1.1.1.2 255.255.255.255 2.2.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 manage
http 10.2.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal 3DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.2.2.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 manage
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_1.1.1.2 internal
group-policy GroupPolicy_1.1.1.2 attributes
vpn-tunnel-protocol ikev1 ikev2
username root password 39OP6SqBUg7oORYk encrypted
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 general-attributes
default-group-policy GroupPolicy_1.1.1.2
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key 12345678
ikev2 remote-authentication pre-shared-key 12345678
ikev2 local-authentication pre-shared-key 12345678
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/se... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5a137061e6083133afe494f5b 9f6cd33
: end

Новые блоги и статьи Все статьи Все блоги /
Ритм жизни kumehtar 27.02.2026 Иногда приходится жить в ритме, где дел становится всё больше, а вовлечения в происходящее — всё меньше. Плотный график не даёт вниманию закрепиться ни на одном событии. Утро начинается с быстрых,. . .	SDL3 для Web (WebAssembly): Сборка SDL3 и Box2D из исходников с помощью CMake и Emscripten 8Observer8 27.02.2026 Недавно вышла версия 3. 4. 2 библиотеки SDL3. На странице официальной релиза доступны исходники, готовые DLL (для x86, x64, arm64), а также библиотеки для разработки под Android, MinGW и Visual Studio. . . .	SDL3 для Web (WebAssembly): Реализация движения на Box2D v3 - трение и коллизии с повёрнутыми стенами 8Observer8 20.02.2026 Содержание блога Box2D позволяет легко создать главного героя, который не проходит сквозь стены и перемещается с заданным трением о препятствия, которые можно располагать под углом, как верхнее. . .	Конвертировать закладки radiotray-ng в m3u-плейлист damix 19.02.2026 Это можно сделать скриптом для PowerShell. Использование . \СonvertRadiotrayToM3U. ps1 <path_to_bookmarks. json> Рядом с файлом bookmarks. json появится файл bookmarks. m3u с результатом. # Check if. . .
Семь CDC на одном интерфейсе: 5 U[S]ARTов, 1 CAN и 1 SSI Eddy_Em 18.02.2026 Постепенно допиливаю свою "многоинтерфейсную плату". Выглядит вот так: https:/ / www. cyberforum. ru/ blog_attachment. php?attachmentid=11617&stc=1&d=1771445347 Основана на STM32F303RBT6. На борту пять. . .	Камера Toupcam IUA500KMA Eddy_Em 12.02.2026 Т. к. у всяких "хикроботов" слишком уж мелкий пиксель, для подсмотра в ESPriF они вообще плохо годятся: уже 14 величину можно рассмотреть еле-еле лишь на экспозициях под 3 секунды (а то и больше),. . .	И ясному Солнцу zbw 12.02.2026 И ясному Солнцу, и светлой Луне. В мире покоя нет и люди не могут жить в тишине. А жить им немного лет.	«Знание-Сила» zbw 12.02.2026 «Знание-Сила» «Время-Деньги» «Деньги -Пуля»

@gvov80 0 / 0 / 0 Регистрация: 30.12.2018 Сообщений: 5

	2 провайдера, VPN. 2 офиса cisco asa 5550 16.04.2019, 09:44. Показов 1772. Ответов 0 Метки asa, cisco, ipsec, vpn (Все метки) Здравствуйте, имеется схема подключения (прилагается) , также конфиги двух asa (FW1 и FW2). Схема На текущий момент подключено по одному провайдеру и организована сеть Site to Site VPN, есть второй провайдер и нужно зарезервировать каналы через второго провайдера. Что нужно добавить в конфиги чтоб схема заработала? Вот текущие рабочие конфиги: : Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz ASA Version 9.1(7)16 ! hostname fw1 enable password * encrypted passwd * encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 1.1.1.2 255.255.255.0 ! interface GigabitEthernet0/1 nameif outside2 security-level 0 ip address 1.1.2.2 255.255.255.0 ! interface GigabitEthernet0/3 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface Management0/0 nameif manage security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive access-list outside_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu manage 1500 mtu outside2 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 route outside 2.2.1.2 255.255.255.255 1.1.1.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 manage http 10.1.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer 2.2.1.2 crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map 1 set ikev2 ipsec-proposal 3DES crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 10.1.1.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 manage ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy_2.2.1.2 internal group-policy GroupPolicy_2.2.1.2 attributes vpn-tunnel-protocol ikev1 ikev2 username root password * encrypted tunnel-group 2.2.1.2 type ipsec-l2l tunnel-group 2.2.1.2 general-attributes default-group-policy GroupPolicy_2.2.1.2 tunnel-group 2.2.1.2 ipsec-attributes ikev1 pre-shared-key 12345678 ikev2 remote-authentication pre-shared-key 12345678 ikev2 local-authentication pre-shared-key 12345678 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/se... DCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:5a137061e6083133afe494f5b 9f6cd33 : end и : Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz ! ASA Version 9.1(7)16 ! hostname fw2 enable password * encrypted passwd *** encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 2.2.1.2 255.255.255.0 ! interface GigabitEthernet0/1 shutdown nameif outside2 security-level 0 ip address 2.2.2.2 255.255.255.0 ! interface GigabitEthernet0/3 nameif inside security-level 100 ip address 10.2.2.1 255.255.255.0 ! interface Management0/0 nameif manage security-level 100 ip address 192.168.1.2 255.255.255.0 ! ftp mode passive access-list outside_cryptomap extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu manage 1500 mtu outside2 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected route outside 0.0.0.0 0.0.0.0 2.2.1.1 1 route outside 1.1.1.2 255.255.255.255 2.2.1.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 manage http 10.2.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set peer 1.1.1.2 crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map 1 set ikev2 ipsec-proposal 3DES crypto map outside_map interface outside crypto ca trustpool policy crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 10.2.2.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 manage ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 ! tls-proxy maximum-session 1000 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy_1.1.1.2 internal group-policy GroupPolicy_1.1.1.2 attributes vpn-tunnel-protocol ikev1 ikev2 username root password 39OP6SqBUg7oORYk encrypted tunnel-group 1.1.1.2 type ipsec-l2l tunnel-group 1.1.1.2 general-attributes default-group-policy GroupPolicy_1.1.1.2 tunnel-group 1.1.1.2 ipsec-attributes ikev1 pre-shared-key 12345678 ikev2 remote-authentication pre-shared-key 12345678 ikev2 local-authentication pre-shared-key 12345678 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/se... DCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:5a137061e6083133afe494f5b 9f6cd33 : end 0