Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
amith_rao
Contributor

Site to Site VPN link redundancy with 3rd party Gateway(Cisco ASA)

Hello Folks

Please find my requirement below.

Scenario:

The customer is using a Juniper Firewall(Local) placed behind a load balancer using two ISP Links TATA and Airtel for VPN, The Juniper Firewall is connected to the Loadbalancer on a single interface(Private IP). Meanwhile, the Peer end is a Cisco ASA Firewall with a Single ISP link for VPN communication.

The VPN configured between Juniper Firewall and Cisco ASA has link redundancy i.e the 2 ISP Links(TATA and Airtel) of the Loadbalancer is Nated to the Juniper firewalls External Interface IP(Private) and on the Peer side, the Cisco ASA firewall is configured to probe these 2 public IPs as shown in the diagram below.

Workflow:

TATA is the primary ISP link of Loadbalancer for the VPN traffic, When the TATA ISP link goes down the VPN Tunnel fails over to Airtel Link.

Topology 1Topology 1

Query:

Now in place of Juniper, we are going to replace it with the CheckPoint Firewall(Model: 5900, Mode of deployment: Cluster, OS: GAIA, Version: R80.30).

So can we achieve the same VPN link redundancy between CheckPoint to Cisco with CheckPoints Single Interface behind a Nated device(Loadbalancer with 2 ISP Links)? If so then how

Topology 2Topology 2

Assuming that if the first option is not possible, Can we achieve the same requirement when the 2 Public IPs are directly terminated on CheckPoint and the Peer Cisco ASA is configured to probe these 2 Public IPs. If so then how.

Topology 3Topology 3

 

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

The Check Point device can be behind NAT.
Usually this means changing Link Selection to be the relevant IP though not 100% sure how that will work.
I suspect authentication will need to be by certificates here.

0 Kudos