cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
430
Views
20
Helpful
7
Replies

Dual ISP, use one for Internet and the second one for VPN

Hi Guys,

I am trying to get a site to site tunnel connected via ISP2 on interface GigabitEthernet1/8

While using GigabitEthernet1/1 for all other internet traffic

 

Any suggestions would be greatly appreciated


: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.12(1)
!
hostname Router
domain-name domain.local
enable password ***** pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto
ip local pool MOBILE_VPN_POOL 172.19.61.1-172.19.61.254 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 100.0.0.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/2.2
description Guest
vlan 99
nameif insideGuest
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif outsideVPN
security-level 0
ip address 200.0.0.2 255.255.255.252
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
banner motd ******************************************************************************
banner motd You are entering a restricted network device. This communication constitutes
banner motd an electronic communication within the scope of the Electronic Communication
banner motd Privacy Act, 18 USCA 2510. The unlawful interception, use, or disclosure of
banner motd such information is strictly prohibited under 18 USCA 2511 and any applicable
banner motd laws. Violators will be prosecuted to the fullest extent of the law.
banner motd ******************************************************************************
boot system disk0:/asa9101-lfbff-k8.SPA
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE_NETWORK
subnet 192.168.2.0 255.255.255.0
object network MOBILE_VPN_POOL
subnet 172.19.61.0 255.255.255.0
object network OUTSIDE_PEERSIDE
subnet 192.168.1.0 255.255.255.0
object network insideGuest
subnet 192.168.200.0 255.255.255.0
object network INSIDE_NETWORK_VPN
subnet 192.168.2.0 255.255.255.0
access-list OUTSIDE_ACCESS_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_ACCESS_IN extended permit icmp any any unreachable
access-list MOBILE_VPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list outsideVPN_cryptomap extended permit ip object INSIDE_NETWORK_VPN object OUTSIDE_PEERSIDE
access-list insideGuest_access_in extended permit ip any any
mtu outside 1500
mtu inside 1500
mtu insideGuest 1500
mtu outsideVPN 1500
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,outside) source static INSIDE_NETWORK INSIDE_NETWORK destination static OUTSIDE_PEERSIDE OUTSIDE_PEERSIDE no-proxy-arp route-lookup
nat (any,outsideVPN) source static INSIDE_NETWORK_VPN INSIDE_NETWORK_VPN destination static OUTSIDE_PEERSIDE OUTSIDE_PEERSIDE no-proxy-arp route-lookup
!
object network INSIDE_NETWORK
nat (inside,outside) dynamic interface
object network INSIDE_NETWORK_VPN
nat (inside,outsideVPN) dynamic interface
object network insideGuest
nat (insideGuest,outside) dynamic interface
access-group OUTSIDE_ACCESS_IN in interface outside
access-group insideGuest_access_in in interface insideGuest
route outside 0.0.0.0 0.0.0.0 100.0.0.1 1
route outsideVPN 0.0.0.0 0.0.0.0 200.0.0.1 254
user-identity default-domain LOCAL
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto map outsideVPN_map 1 match address outsideVPN_cryptomap
crypto map outsideVPN_map 1 set peer 200.0.0.2
crypto map outsideVPN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outsideVPN_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outsideVPN_map interface outsideVPN
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable outsideVPN
no crypto ikev2 fragmentation
crypto ikev1 enable outside
crypto ikev1 enable outsideVPN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
console timeout 0
management-access inside
ntp server 129.6.15.28
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_200.0.0.2 internal
group-policy GroupPolicy_200.0.0.2 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GP_ANYCONNECT internal
group-policy GP_ANYCONNECT attributes
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MOBILE_VPN_SPLIT_TUNNEL
address-pools value MOBILE_VPN_POOL
dynamic-access-policy-record DfltAccessPolicy
username cisco password ***** pbkdf2 privilege 15
tunnel-group TG_ANYCONNECT type remote-access
tunnel-group TG_ANYCONNECT general-attributes
address-pool MOBILE_VPN_POOL
default-group-policy GP_ANYCONNECT
tunnel-group TG_ANYCONNECT webvpn-attributes
group-alias VPN enable
tunnel-group 200.0.0.2 type ipsec-l2l
tunnel-group 200.0.0.2 general-attributes
default-group-policy GroupPolicy_200.0.0.2
tunnel-group 200.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1024
no tcp-inspection
policy-map global_policy
class inspection_default
class class-default
set connection decrement-ttl
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 1024
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 1024
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
: end

1 ACCEPTED SOLUTION

Accepted Solutions
Georg Pauwen
VIP Expert

Hello,

 

the problem is that you cannot have two default routes. With your current routing, nothing will ever go out interface GigabitEthernet1/8.

 

Try and remove the existing route:

 

--> no route outsideVPN 0.0.0.0 0.0.0.0 200.0.0.1 254

 

and add a specific route for the remote subnet:

 

--> route outsideVPN 192.168.1.0 255.255.255.0 200.0.0.1 254

 

 

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Master

is this lab environment or real ?

 

what is the issue you facing ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Hi Balaji,

 

Its real environment, the tunnel does not connect via GigabitEthernet1/8

 

what is the debug show ? what is other end, let me review the config here

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Georg Pauwen
VIP Expert

Hello,

 

the problem is that you cannot have two default routes. With your current routing, nothing will ever go out interface GigabitEthernet1/8.

 

Try and remove the existing route:

 

--> no route outsideVPN 0.0.0.0 0.0.0.0 200.0.0.1 254

 

and add a specific route for the remote subnet:

 

--> route outsideVPN 192.168.1.0 255.255.255.0 200.0.0.1 254

 

 

View solution in original post

Hi Georg,

It worked when I added 

 

route outsideVPN 192.168.1.0 255.255.255.0 200.0.0.1 254

route outsideVPN 201.0.0.0 255.255.255.0 200.0.0.1 254 for the tunnel to be established

 

Thank you all very much!

Elliot Dierksen
Enthusiast

Another possibility would be to create a second security context for VPN. It does make the configuration more complicated, but that could do it. Each context would needs its own IP address. In an ideal world, you would not share physical interfaces between contexts. That can be done, but has some other complicating factors. It looks like you have more than enough interfaces to do that.

MHM Cisco World
Collaborator

For Dual ISP one for internet and other for Prefix we use 
default for ISP1 
Prefix for ISP2
this make router select ISP2 if the destination is prefix and if not then it go through ISP2.
Now if you face problem with VPN default, then try use FrontDoor VRF which make you use default for VPN and also another default for global internet.