Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


Routing between two different firewalls on different public IPs

Hi all,

I've two internet lines, each one with a static public IP, sat IP1 and IP2, supplied by different ISPs.

Each line is the outside of an ASA firewall.

The inside of each firewall is on the same lan segment, say it's and

I have a Cisco 1841 router which is the default gateway for the LAN users, say

IP1 is my site-to-site VPN terminator, while IP2 is used for surfing internet, while IP2 is faster than IP1.

My remote users, such as me when I work from home, need to connect both to company LAN ( and to other remote sites (let's call'em R1, R2 etc.) connected to company LAN by a site-to-site VPN managed by the firewall behind IP1.

I'd like to allow my remote users to connect to IP2, instead of IP1, and have access to both the company LAN and remote sites.

The question is: how?

On IP2 I have routes that say route inside R1 IP1, router has correct routes (otherwise nothing would work, since it's the default gateway), but it doesn't work, i.e. on IP2 I can connect to company LAN without problems using Cisco VPN client 4.8, but I don't go ahead, i.e. I cannot reach R1, R2. If I connect with VPN cliente to IP1, everything works.

How can I solve my problem?




I may not be 100% following

I may not be 100% following but it sounds like when you're connecting to the ASA with ISP2 connected via remote VPN client you cannot route towards the second ASA with ISP1 which has IPSec site-to-site tunnels R1 & R2? Is that correct? If so, does the ASA with ISP1 and site-to-stie VPNs have routes back towards the other ASA (IP2) in particular the range you're giving VPN clients i.e. 10.10.10/24 for example? Secondly, are you identifying the VPN clients addresses on ASA ISP2 as traffic you wish to encrypt on the ASA with ISP1?




As Richard articulated better, routes have to exist both ways and as mentioned interesting traffic identified to be encrypted. If either routes or ACLs on the crypto statements for the interesting traffic are not setup traffic will not reach intended destination or return (if routes are missing) You can have the static routes to the 1841 and let the 1841 route traffic to relevant ASA however, you may find ICMP redirect occur any how and the ASAs route directly between each other if they are connected to the same subnet as the 1841.

From Cisco -

  • Cisco routers send ICMP redirects when all of these conditions are met: The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
  • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.

  • The datagram is not source-routed.

  • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

From ->

VIP Advisor

I don't completely follow,

I don't completely follow, but assuming all VPNs and sites using private IP addresses, which note put routes on the ASA's pointing to the 1841 and let it make the final forwarding decision.

Frequent Contributor

I do a similar thing I

I do a similar thing I connect to one ASA using AnyConnect, and once connected I can connect across to any of the site to site VPN sites.

so when you remote access in you will get an IP address lets say with a mask.

now your 1841 will have a route as follows

ip route 10.0.0.x which ever is your remote access ASA

also will need the route statement on your site to site ASA as well.

then in the interesting traffic for the site to site VPN you must include the in the ACLs

and routing at both ends R2 R3 etc.



CreatePlease to create content
Content for Community-Ad
FusionCharts will render here