cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


351
Views
0
Helpful
1
Replies
Highlighted
Beginner

Site-to-Site VPN connection broken after adding a new outside interface

Hello all,

I've an ASA5506 previously configured with one outside interface. This interface is used for both internet for employees and Site-to-Site VPN for external companies...

The ISP is renewing its equipment and added a new modem/circuit before removing the old one.

I configured then a new external interface to be able to migrate all VPN connections one by one, but I am facing an issue.

 

My idea was to keep the 2 interfaces active and first migrate internet access to the new line and then migrate the S2S VPNs one by one, then once validated remove the old connection.

So I created a new route for the 0.0.0.0 traffic to go through the new interface but with a lower Metric "2", then I changed the "outside" Metric to "3" in order to redirect the internet traffic to the new interface.

-route outside 0.0.0.0 0.0.0.0 <publicIP_1> 1 (->3)
-route newISP 0.0.0.0 0.0.0.0 <publicIP_2> 2

 

... and it worked fine! excepted that all the VPN connected companies lost access to our internal network (oups!). I reverted back the route metric asap and didn't have time to investigate/troubleshoot the problem. Of course, now I am a bit afraid with going any further with new changes.

 

Do you have idea what I could have done wrong?

 

Thanks a lot in advance for your help!

 

 

 

 

Everyone's tags (5)
1 REPLY 1
Frequent Contributor

Re: Site-to-Site VPN connection broken after adding a new outside interface

Hi,

 

How are your VPNs configured? Policy Based / Route Based?

 

Did you add static routes for each of the remote VPN endpoints and point them out your "old" Internet pipe?

 

From the info you have provided all Internet traffic will be going out the new Interface, including the routing of the remote VPN Public IPs. There may not be any crypto binding on this new interface etc.

 

ACLs, NATS are other areas you may want to look at also as part of the wider picture.

 

If you could share the config it might help in advising further.

 

Just some thoughts based on the info so far.