cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

81
Views
10
Helpful
2
Replies
Highlighted
Enthusiast

Two Separate Active Crypto Maps & VPN's routing through different ISP WAN connections to different sites in 5506

Hi All,

I have a site in the field that uses a Sonicwall that I need to transpose to Cisco speak and replace it with an ASA 5506.  This site has 4 WAN connections. I think that's overkill but I can't influence changing it yet.  What they are doing is running a VPN tunnel to a branch office off of their primary WAN link, and running a separate VPN tunnel on the same firewall to the head office, but off of their tertiary link.  

Replicating that logically in the ASA seems to make sense in my head except for one problem - The default route is going to always point to the primary WAN line, so how can I make a VPN work on the tertiary connection when the default route is pointing to the primary connection?  Is it possible to just route the far-end peer IP associated with the tertiary connection out the tertiary link, or would that link need to see all internet subnets and not just the far-end VPN peer IP to successfully bring up the tunnel on tertiary while the other tunnel on primary runs simultaneously to the other branch?

1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: Two Separate Active Crypto Maps & VPN's routing through different ISP WAN connections to different sites in 5506

Hi,
You can create a route towards far end peer ip & Subnet via tertiary link and create a separate crypro-map and bind to the tertiary link.
So all other traffic will take the default route pointing to the primary link and bind the other crypto-map to primary link to work other VPN's

HTH
Abheesh
2 REPLIES
Enthusiast

Re: Two Separate Active Crypto Maps & VPN's routing through different ISP WAN connections to different sites in 5506

Hi,
You can create a route towards far end peer ip & Subnet via tertiary link and create a separate crypro-map and bind to the tertiary link.
So all other traffic will take the default route pointing to the primary link and bind the other crypto-map to primary link to work other VPN's

HTH
Abheesh
Participant

Re: Two Separate Active Crypto Maps & VPN's routing through different ISP WAN connections to different sites in 5506

Hi,

cisco devices not needs specific static routes to send IPSec VPN traffic to specific interface. we can configure ACL for interesting traffic which selects the source and destination related to specific VPN and that will automatically route through specific IPSec VPN.

 

if you have only ILLs or VPN links (not IPSec  VPNs) you can even select source traffic using PBR (policy based route) and send through specific gateway.

 

regards,

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers