09-03-2012 02:22 AM
Hello,
is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?
Greetings
Thomas
09-03-2012 03:02 AM
Your remote-access sessions have to be used over the ISP where the default-route is used. You only can put your S2S-VPNs on the other ISP with the help of dedicated routes.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2012 03:52 PM
Hi Thomas,
This would work without any kind of issues. It is always confusing to some people because they think that ASA needs to route a packet. However the fact is that in case of TCP traffic ASA will respond back on the same interface without doing a route lookup.
The same logic applies to Anyconnect also. If you want to use anyconnect on a seperate interface other than the default route interface, it will also work. But IPSec VPN client won't work because the first connection of IPSec client uses UDP packets instead of TCP.
So in a nutshell, just enable webvpn on your secondary interface and you will be good to go...you don't need to worry about any kind of routing at all.
Shikhar Sharma
CCIE Security # 29741
Cisco TAC - VPN Team
09-03-2012 10:48 PM
Hi Shikhar,
since which version is that supported? I'm not aware at all that the ASA is capable of that and it didn't work for me when I testet it to fing that out (but these tests were not with recent versions).
regards, Karsten
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2012 11:38 PM
Hello Karsten, Hello Shikhar,
thanks for your responds! My ASA is running 8.2(5) so not the latest version eather ;-) but I will give it a try and let you know if it works.
regards, Thomas
09-04-2012 12:32 AM
Hello again,
okay, I have tried just enabling WebVPN on the new interface, but then I am not able to reach the WebVPN portal, as soon as I set a route for example for just one external IP address on the ISP for WebVPN I am able to reach it from that single IP.
Maybe I have the possibility to work with static routes just like that, as the WebVPN was planed to be used to grant access for an dependent company.
@Shikhar, but if there is a Software Version that can handle this without the need for static routes it would be great if you could let us know
regards, Thomas
09-04-2012 05:13 AM
Hi,
No need for dedicated routes, the ASA keeps track of the specific TCP session on the specific interface where the WebVPN session is established.
Please keep us posted.
Thanx
Portu
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide