Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
6
Replies

ASA 5510 seperate ISP for WebVPN ?

thomas.busse
Level 1
Level 1

‎09-03-2012 02:22 AM

Hello,

is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?

Greetings

Thomas

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎09-03-2012 03:02 AM

Your remote-access sessions have to be used over the ISP where the default-route is used. You only can put your S2S-VPNs on the other ISP with the help of dedicated routes.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

shikhsha
Level 1
Level 1

‎09-03-2012 03:52 PM

Hi Thomas,

This would work without any kind of issues. It is always confusing to some people because they think that ASA needs to route a packet. However the fact is that in case of TCP traffic ASA will respond back on the same interface without doing a route lookup.

The same logic applies to Anyconnect also. If you want to use anyconnect on a seperate interface other than the default route interface, it will also work. But IPSec VPN client won't work because the first connection of IPSec client uses UDP packets instead of TCP.

So in a nutshell, just enable webvpn on your secondary interface and you will be good to go...you don't need to worry about any kind of routing at all.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

0 Helpful

Karsten Iwen
VIP
VIP
In response to shikhsha

‎09-03-2012 10:48 PM

Hi Shikhar,

since which version is that supported? I'm not aware at all that the ASA is capable of that and it didn't work for me when I testet it to fing that out (but these tests were not with recent versions).

regards, Karsten

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

thomas.busse
Level 1
Level 1
In response to Karsten Iwen

‎09-03-2012 11:38 PM

Hello Karsten, Hello Shikhar,

thanks for your responds! My ASA is running 8.2(5) so not the latest version eather ;-) but I will give it a try and let you know if it works.

regards, Thomas

0 Helpful

thomas.busse
Level 1
Level 1
In response to thomas.busse

‎09-04-2012 12:32 AM

Hello again,

okay, I have tried just enabling WebVPN on the new interface, but then I am not able to reach the WebVPN portal, as soon as I set a route for example for just one external IP address on the ISP for WebVPN I am able to reach it from that single IP.

Maybe I have the possibility to work with static routes just like that, as the WebVPN was planed to be used to grant access for an dependent company.

@Shikhar, but if there is a Software Version that can handle this without the need for static routes it would be great if you could let us know

regards, Thomas

0 Helpful

Javier Portuguez
Level 9
Level 9

‎09-04-2012 05:13 AM

Hi,

No need for dedicated routes, the ASA keeps track of the specific TCP session on the specific interface where the WebVPN session is established.

Please keep us posted.

Thanx

Portu

Sent from Cisco Technical Support Android App

0 Helpful
Customers Also Viewed These Support Documents