07-02-2011 12:49 PM
I need to know how to setup my ASA with dual wan links. 1 is 10/10 fiber, other will be a 50/5 Cable Wideband link. The 10/10 fiber is currnetly being used for VPN's and Internet, (about 20 point to point IPSEC vpn's currently).
I want to add the Wideband link and use the "Tunneled (Default gateway for VPN traffic)", feature for the current fiber link and the new Wideband link for any other internet traffice. I tried this however as soon as I set my fiber link to "Tunneled (Default gateway for VPN traffic), I lost all connectivity.
I also setup my "VPN" link with the "tunneled" option and my "INTERNET" link with a default route to the internet. This would only let me ping internet sites from the ASA device but not from client computers, also the VPN's would not come backup.
I have tried the sla setting with a DSL line for failover and that works good, i've since got rid of the DSL and want to utilize 2 wan links for different purposes/traffic.
Obviously i'm missing something, does anyone have a solution for this.
ASA 5510, SSM-10 1GB RAM
ASA version 8.4(1)
ASDM Version 6.4(3)
Context Mode Single
FW Mode Routed
License Security Plus
Thanks in advance
L. Mace
07-02-2011 12:57 PM
Hi,
The ASA can use only a single default gateway.
This means (opposed to routers) that you cannot use more than one interface to connect to the Internet simultaneosuly.
However, you can have an ''Internet'' interface and a ''VPN'' interface, is just a matter of having a default gateway pointing out the ''Internet'' interface and having static routes or a routing protocol for the ''VPN'' interface.
Is this what you're looking for?
Federico.
07-05-2011 07:03 AM
Yes, i tried that. I set my default route to the "new" INTERNET interface and selected "Tunneled" option on the "OUTSIDE" interface that has about 20 IPSec VPN's. As soon as i selected the "Tunneled" option all vpn's went down. I then tried a static route to one of the vpn's and the ASDM would not let me enter it as it errored out with "route is already used" or something to that affect. Also, I could ping internet sites from the ASA device, however, I could not connect to internet sites from my client computers. Any idea's on what i missed. Any help would be greatly appreciated. (See below).
Thanks in advance
L. Mace
07-19-2011 01:14 PM
Hi,
on the vpn interface, are you going to terminate site to site VPNs or remote access VPNs? If it is going to be remote access VPNs, it is not really going to be possible unless you know the IP addresses of the clients who will be connecting to the ASA.
THanks and Regards,
Prapanch
07-19-2011 08:59 PM
All of the VPN's are already terminated as stated in the original post. I just need to make the interface work with the "Tunneled (Default gateway for VPN traffic)" and a second interface for internet traffic. Any idea's would be helpful.
Thanks
L. Mace
07-20-2011 09:21 AM
Hi,
The "tunnelled" default gateway is not used for the purpose you are planning to use it for. adding the tunnelled keyword at the end of a route makes that route the default gateway for traffic coming in on a VPN tunnel and not destined for a VPN tunnel. This is based on my understanding from the below link:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1793355
Let's consider this scenario. You have a L2L VPN tunnel frm ur ASA to another device with public IP a.b.c.d and the local network on that device is 10.1.1.0/24. What you need are actualy 2 static routes out the "VPN" interface:
route VPN a.b.c.d 255.255.255.255
route VPN 10.1.1.0 255.255.255.0
This will have to be done for all L2L VPNs you have and also for the remote access VPN pool of IPs. Hope this helps!!
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide