Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
3
Replies

cisco ASA 5510's setup two firewalls, one for VPN only the other for VPN tunnel and internet

William Becker
Level 1
Level 1

‎01-14-2013 09:18 AM - edited ‎03-11-2019 05:46 PM

I have a question that I have been working and can not seem to figure out. I have 2 ASA 5510's. Both have Internet service's from two different providers. On one I want to use for VPN access for remote users to connect through, the other I have a VPN tunnel built and I want to have the corporate Internet access setup because it has a much higher bandwidth. I need the remote users to have access to all the subnet's in our network, I need the VPN tunnel to have access to all the subnet's in our network as well. For the record, I am in the process of going through some on-line training for the ASA, however, I need this to work before I can finish the training, provided this would even be covered in this training and I don't have the time to wait for a vendor to come in and work with me on this so I am in kind of a pinch to get this working.

I have 2 subnet's in our corporate site. I have other sites connected via a MPLS with their own subnet's. Currently I have a default route setup to route Internet out the ASA with the slower Internet port. If I change that route to the other ASA the VPN users can not access the subnet's.
I am not sure where I need to add a route with the ASA not capable of routing traffic or am I wrong?

Thank you for looking and your assistance.

Labels:
0 Helpful
3 Replies 3

lcambron
Level 3
Level 3

‎01-14-2013 11:25 AM

Hello William,

Maybe if you share the topology we can get a clearer understanding of the issue.

Regards,

Felipe.

0 Helpful

shamax_1983
Level 3
Level 3

‎01-14-2013 03:13 PM

Hello William,

Let's say your current ASA is ASA1 ( This has your Tunnels and RA VPN ) and you have a new ASA2 connected and ready to go.

So at this point, I believe you have a router behind the firewall that has all MPLS subnets (connected to MPLS providers router on from other side ). This router should run some sort of Dynamic Routing with  the Provider's Router to exchange routes OR.. you have series of static routes on your Router for all the branch subnets pointing your MPLS provider's router..?

Also, in this router, you will see a static route for the Remote Access VPN range pointing the ASA1 as well as a default route ( 0.0.0.0 0.0.0.0) pointing ASA1.  In addition to this, All your remote branches will send traffic in to the MPLS cloud and they don't have local Internet exist.. ie. all Internet traffic will go through ASA1.

On ASA1, you should have static routes for all your subnets ( used in Corperate office and other MPLS branches ) pointing the corporate router ( mentioned above ). OR.. you have dynamic routing between ASA1 and the router.

---

So for this to work, You should definitely have all the routes defined on the ASA1 on ASA2. Also, If you define a new RA VPN ip range on ASA2, you will have to have a new static-route on the Corporate Router pointing ASA2's inside interface ( interface that connects with the Router ). Or.. if you are planning to use the same RA VPN range used in ASA1 on ASA2, you will have to change the  current static route pointing ASA2.

Now, you have to make sure the changes you make on the router gets reflected to other MPLS connected branches. If you have dynamic routing between your router(Corporate) and Providers MPLS router, you should already be advertising all the "static" and "connected" subnets, so your new RA VPN range will be automatically advertised. If not you will have to contact your MPLS provider and get them to manually add the new range in to the MPLS cloud pointing the corporate router.

So, I think depending on your setup, simply changing the static route on the router would do the job ( most likely ) or if you are adding a new Range and your Provider don't exchange dynamic routes, you will have to contact them and get them to add the new range in the MPLS cloud ( So the branches/MPLS cloud will know where the new RA VPN range lives )

Let me know if you need more clarification on this.. Hopefully I understood your setup correctly.

Also, please don't forget to rate helpful posts.

--

Shamal

0 Helpful

William Becker
Level 1
Level 1
In response to shamax_1983

‎02-28-2013 09:53 PM

Sorry for the delay on the reply. I will draw a diagram and post the configuration, that might make more sense. Thank you for replying to the post.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card