Showing results for 
Search instead for 
Did you mean: 

User VPN through secondary internet



I've got a problem that I'm hoping is simple for someone out there!

We have an ASA 5520 in production with a brand new internet feed we've just finished installing. We connect to our corporate office via a VPLS. In our corporate office we have a Cisco 1841 (I think that was the year it's made! ) with an ADSL feed with a static IP address plugged in directly.

We have a user VPN that we integrate with our user directory on the router, which connects via the ADSL. The users get an IP addres at the tail end of the range, which is the same as one of our corporate subnets (we just reserver a few address, we don't have many VPN users).

Both the ASA and the router connect to each other (via the VPLS) on the internal subnet

The ASA is

The router is

Currently the default route for the corporate office goes out the Dialer interface for the ADSL, which means that's where our internet goes out there (all proxying aside, we'll leave that out of this one).

ip route Dialer1

We'd like to change that default route to go via the VPLS to the ASA, and then out to the internet using the new feed. All the ACLs and rules are in place at both ends for this to work. If I change the default route on the router to:

ip route

Then it works as expected.

The problem is that then the user VPN breaks. I had hoped I wouldn't have to do any configuration on this but it looks to be so. I'm guessing that the VPN packets are coming in via the ADSL and back out via the new internet. It would be simple if the remote client had a static IP address as I could put in a static route for each user, but it's always going to be dynamic.

What do I need to put in place to get this working? I thought maybe I could leave the default route via the ADSL and put in a next hop rule to go via the VPLS for the specific subnets that need the new internet, i.e. have a subnet specific default gateway, is this possible? (I gave it a go but it didn't seem to work, I think I didn't implement it properly though as it still went via the ADSL, maybe because there is a nat route-map as well?).

Any ideas?

3 Replies 3

Latchum Naidu


It seems problem with the reverse route for the client vpn subnet.
Did you change the default route in pointing to your new internet (I guess your ASA) something like below.

ip route

Please rate the helpfull posts.


I'm not entirely sure I understand what you're saying. Do you mean did I put a route into the office router saying to use the new internet for the VPN subnet?

No I didn't because we want the VPN to use the old internet still.

If that's not what you meant can you elabourate please?

I don't think there's a problem with the route, or any internal routes. It's the internet routing that's wrong.

I think the general concensus with this is that it's not possible without a proxy, so we just bought a simple router to run our ADSL and VPN from.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers