cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
3
Helpful
3
Replies

Two ISP connnected to ASA and saperating INternet and VPN traffic

Gajendra R'
Level 1
Level 1

Hi,

 

I have small confusion regarding the configurations and connection. As I have One ASA which is connecting to Two ISP router. now I want to make One ISP dedicated to Internet and One for site to site VPN....... By using the static routing in ASA, I can point default route to Isp1 router for Internet access however for VPN traffic what route should I Point to ISP2 router so the VPN traffic which is being use Private Ip address can be work.

 

Or Please suggest me if any other option can work in this Scenario ?

 

Thanks

 

3 Replies 3

rizwanr74
Level 7
Level 7

Hello Gajendra,

 

You keep default-route to your primary ISP1 and for your second ISP2 you only point your remote-tunnel peer's addresses (I assume they are public addresses) and you also point to second ISP2 all remote-LANs subnets.  When you point remote-LANs to second ISP (by the means of static route), it is to make sure that that remote-LANs subnets is reachable via the tunnel, so that crypto engine picks up that given traffic for encapsulation.

If you don't have the static route to remote-LANs, then you might encounter problem as such, tunnel is in up-state but there is traffic is entering into the tunnel, because most of the time, people push all private address ranges to inside the network.

 

Hope this answers your question.

 

Thanks

Rizwan Rafeek.

Thanks Rizwan Rafeek,

 As I do have this plan in mind; however looking for the any other solutions...... like to make both link active for VPN as well as Internet.

 

Thanks

"what route should I Point to ISP2 router so the VPN traffic which is being use Private Ip address can be work."

 

I hope your first question was answered.

You cannot push default-route to both interfaces same time, so pushing internet bound traffic to both links is not viable and so no balancing internet bound traffic on ASA.

 

However you can load-balance vpn-tunnel bound traffic, since each individual tunnel can be terminated either of the internet facing interface. 

 

Thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: