Showing results for 
Search instead for 
Did you mean: 

ASA 5510 seperate ISP for WebVPN ?

Level 1
Level 1


is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?



6 Replies 6

Your remote-access sessions have to be used over the ISP where the default-route is used. You only can put your S2S-VPNs on the other ISP with the help of dedicated routes.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Level 1
Level 1

Hi Thomas,

This would work without any kind of issues. It is always confusing to some people because they think that ASA needs to route a packet. However the fact is that in case of TCP traffic ASA will respond back on the same interface without doing a route lookup.

The same logic applies to Anyconnect also. If you want to use anyconnect on a seperate interface other than the default route interface, it will also work. But IPSec VPN client won't work because the first connection of IPSec client uses UDP packets instead of TCP.

So in a nutshell, just enable webvpn on your secondary interface and you will be good to don't need to worry about any kind of routing at all.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

Hi Shikhar,

since which version is that supported? I'm not aware at all that the ASA is capable of that and it didn't work for me when I testet it to fing that out (but these tests were not with recent versions).

regards, Karsten

Don't stop after you've improved your network! Improve the world by lending money to the working poor:

Hello Karsten, Hello Shikhar,

thanks for your responds! My ASA is running 8.2(5) so not the latest version eather ;-) but I will give it a try and let you know if it works.

regards, Thomas

Hello again,

okay, I have tried just enabling WebVPN on the new interface, but then I am not able to reach the WebVPN portal, as soon as I set a route for example for just one external IP address on the ISP for WebVPN I am able to reach it from that single IP.

Maybe I have the possibility to work with static routes just like that, as the WebVPN was planed to be used to grant access for an dependent company.

@Shikhar, but if there is a Software Version that can handle this without the need for static routes it would be great if you could let us know

regards, Thomas


No need for dedicated routes, the ASA keeps track of the specific TCP session on the specific interface where the WebVPN session is established.

Please keep us posted.



Sent from Cisco Technical Support Android App