cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4775
Views
0
Helpful
5
Replies

ASA with Dual ISP's, split traffic between VPN's and Internet

luckymace
Level 1
Level 1

I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).

I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.

I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.

I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.

Obviously i'm missing something, does anyone have a solution for this.

ASA 5510, SSM-10      1GB RAM

ASA version                8.4(1)

ASDM Version            6.4(3)

Context Mode            Single

FW Mode                  Routed

License                     Security Plus

Thanks in advance

L. Mace

5 Replies 5

Hi,

The ASA can use only a single default gateway.

This means (opposed to routers) that you cannot use more than one interface to connect to the Internet simultaneosuly.

However, you can have an ''Internet'' interface and a ''VPN'' interface, is just a matter of having a default gateway pointing out the ''Internet'' interface and having static routes or a routing protocol for the ''VPN'' interface.

Is this what you're looking for?

Federico.

Yes, i tried that. I set my default route to the "new" INTERNET interface and selected "Tunneled" option on the "OUTSIDE" interface that has about 20 IPSec VPN's. As soon as i selected the "Tunneled" option all vpn's went down. I then tried a static route to one of the vpn's and the ASDM would not let me enter it as it errored out with "route is already used" or something to that affect. Also, I could ping internet sites from the ASA device, however, I could not connect to internet sites from my client computers. Any idea's on what i missed. Any help would be greatly appreciated. (See below).

Thanks in advance

L. Mace

Hi,

on the vpn interface, are you going to terminate site to site VPNs or remote access VPNs? If it is going to be remote access VPNs, it is not really going to be possible unless you know the IP addresses of the clients who will be connecting to the ASA.

THanks and Regards,

Prapanch

All of the VPN's are already terminated as stated in the original post. I just need to make the interface work with the "Tunneled (Default gateway for VPN traffic)" and a second interface for internet traffic. Any idea's would be helpful.

Thanks

L. Mace

Hi,

The "tunnelled" default gateway is not used for the purpose you are planning to use it for. adding the tunnelled keyword at the end of a route makes that route the default gateway for traffic coming in on a VPN tunnel and not destined for a VPN tunnel. This is based on my understanding from the below link:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1793355

Let's consider this scenario. You have a L2L VPN tunnel frm ur ASA to another device with public IP a.b.c.d and the local network on that device is 10.1.1.0/24. What you need are actualy 2 static routes out the "VPN" interface:

route VPN a.b.c.d 255.255.255.255

route VPN 10.1.1.0 255.255.255.0

This will have to be done for all L2L VPNs you have and also for the remote access VPN pool of IPs. Hope this helps!!

Regards,

Prapanch