I have a site in the field that uses a Sonicwall that I need to transpose to Cisco speak and replace it with an ASA 5506. This site has 4 WAN connections. I think that's overkill but I can't influence changing it yet. What they are doing is running a VPN tunnel to a branch office off of their primary WAN link, and running a separate VPN tunnel on the same firewall to the head office, but off of their tertiary link.
Replicating that logically in the ASA seems to make sense in my head except for one problem - The default route is going to always point to the primary WAN line, so how can I make a VPN work on the tertiary connection when the default route is pointing to the primary connection? Is it possible to just route the far-end peer IP associated with the tertiary connection out the tertiary link, or would that link need to see all internet subnets and not just the far-end VPN peer IP to successfully bring up the tunnel on tertiary while the other tunnel on primary runs simultaneously to the other branch?
Solved! Go to Solution.
cisco devices not needs specific static routes to send IPSec VPN traffic to specific interface. we can configure ACL for interesting traffic which selects the source and destination related to specific VPN and that will automatically route through specific IPSec VPN.
if you have only ILLs or VPN links (not IPSec VPNs) you can even select source traffic using PBR (policy based route) and send through specific gateway.