I've two internet lines, each one with a static public IP, sat IP1 and IP2, supplied by different ISPs.
Each line is the outside of an ASA firewall.
The inside of each firewall is on the same lan segment, say it's 10.0.0.2 and 10.0.0.3
I have a Cisco 1841 router which is the default gateway for the LAN users, say 10.0.0.1.
IP1 is my site-to-site VPN terminator, while IP2 is used for surfing internet, while IP2 is faster than IP1.
My remote users, such as me when I work from home, need to connect both to company LAN (10.0.0.0/24) and to other remote sites (let's call'em R1, R2 etc.) connected to company LAN by a site-to-site VPN managed by the firewall behind IP1.
I'd like to allow my remote users to connect to IP2, instead of IP1, and have access to both the company LAN and remote sites.
The question is: how?
On IP2 I have routes that say route inside R1 255.255.255.0 IP1, router has correct routes (otherwise nothing would work, since it's the default gateway), but it doesn't work, i.e. on IP2 I can connect to company LAN without problems using Cisco VPN client 4.8, but I don't go ahead, i.e. I cannot reach R1, R2. If I connect with VPN cliente to IP1, everything works.
How can I solve my problem?
I may not be 100% following but it sounds like when you're connecting to the ASA with ISP2 connected via remote VPN client you cannot route towards the second ASA with ISP1 which has IPSec site-to-site tunnels R1 & R2? Is that correct? If so, does the ASA with ISP1 and site-to-stie VPNs have routes back towards the other ASA (IP2) in particular the range you're giving VPN clients i.e. 10.10.10/24 for example? Secondly, are you identifying the VPN clients addresses on ASA ISP2 as traffic you wish to encrypt on the ASA with ISP1?
As Richard articulated better, routes have to exist both ways and as mentioned interesting traffic identified to be encrypted. If either routes or ACLs on the crypto statements for the interesting traffic are not setup traffic will not reach intended destination or return (if routes are missing) You can have the static routes to the 1841 and let the 1841 route traffic to relevant ASA however, you may find ICMP redirect occur any how and the ASAs route directly between each other if they are connected to the same subnet as the 1841.
From Cisco -
The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
The datagram is not source-routed.
The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)
From -> http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html
I don't completely follow, but assuming all VPNs and sites using private IP addresses, which note put routes on the ASA's pointing to the 1841 and let it make the final forwarding decision.
I do a similar thing I connect to one ASA using AnyConnect, and once connected I can connect across to any of the site to site VPN sites.
so when you remote access in you will get an IP address lets say 172.16.1.1 with a 255.255.255.0 mask.
now your 1841 will have a route as follows
ip route 172.16.1.0 255.255.25.0 10.0.0.x which ever is your remote access ASA
also will need the route statement on your site to site ASA as well.
then in the interesting traffic for the site to site VPN you must include the 172.16.1.0 in the ACLs
and routing at both ends R2 R3 etc.