cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
10
Helpful
2
Replies

Two Separate Active Crypto Maps & VPN's routing through different ISP WAN connections to different sites in 5506

Dean Romanelli
Level 4
Level 4

Hi All,

I have a site in the field that uses a Sonicwall that I need to transpose to Cisco speak and replace it with an ASA 5506.  This site has 4 WAN connections. I think that's overkill but I can't influence changing it yet.  What they are doing is running a VPN tunnel to a branch office off of their primary WAN link, and running a separate VPN tunnel on the same firewall to the head office, but off of their tertiary link.  

Replicating that logically in the ASA seems to make sense in my head except for one problem - The default route is going to always point to the primary WAN line, so how can I make a VPN work on the tertiary connection when the default route is pointing to the primary connection?  Is it possible to just route the far-end peer IP associated with the tertiary connection out the tertiary link, or would that link need to see all internet subnets and not just the far-end VPN peer IP to successfully bring up the tunnel on tertiary while the other tunnel on primary runs simultaneously to the other branch?

1 Accepted Solution

Accepted Solutions

Abheesh Kumar
VIP Alumni
VIP Alumni
Hi,
You can create a route towards far end peer ip & Subnet via tertiary link and create a separate crypro-map and bind to the tertiary link.
So all other traffic will take the default route pointing to the primary link and bind the other crypto-map to primary link to work other VPN's

HTH
Abheesh

View solution in original post

2 Replies 2

Abheesh Kumar
VIP Alumni
VIP Alumni
Hi,
You can create a route towards far end peer ip & Subnet via tertiary link and create a separate crypro-map and bind to the tertiary link.
So all other traffic will take the default route pointing to the primary link and bind the other crypto-map to primary link to work other VPN's

HTH
Abheesh

Hi,

cisco devices not needs specific static routes to send IPSec VPN traffic to specific interface. we can configure ACL for interesting traffic which selects the source and destination related to specific VPN and that will automatically route through specific IPSec VPN.

 

if you have only ILLs or VPN links (not IPSec  VPNs) you can even select source traffic using PBR (policy based route) and send through specific gateway.

 

regards,

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: