Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
2
Helpful
7
Replies

FP/ASA 2 ISPs, RAVPN on 1 and default route via the other?

the-lebowski
Level 4
Level 4

‎04-22-2025 04:50 PM

Is it possible to have RA-VPN/Secure Client configured on one outside interface while having local internet traffic route out another outside interface? Something like this?  Is it as easy as adding a route to the RA-VPN subnet pointing to the interface its configured on while having the default route point towards the other? 

 

thelebowski_0-1745365662737.png

 

 

 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎04-23-2025 11:10 AM - edited ‎04-23-2025 11:41 AM

@the-lebowski 10.10.90.0/24 is the VPN client IP address, but you actually need a route to the public IP addresses the client traffic is coming from?

Perhaps use PBR for the traffic via outside1 for internal resources accessing the internet, than have the default route via outside2 for RAVPN to establish a VPN. Example of PBR, amend to meet your scenario.

MHM Cisco World
VIP
VIP

‎04-23-2025 12:16 PM

No need any config'

Since anyconnect initiate conn to ISP1

FTD check conn first and always use ISP1 for anyconnect.

Other traffic initiate from inside host will use defualt route toward ISP2.

So what you want only make sure anyconnect conn to ISP1.

MHM

the-lebowski
Level 4
Level 4
In response to MHM Cisco World

‎04-24-2025 07:27 AM - edited ‎04-24-2025 07:28 AM

So its FTD hardware but running ASA code so this still applies?  This was my original thought as well but wanted to be sure.  Also what happens with tunnel all profile, does that traffic still go out ISP1 or will it take default route configured towards ISP2?  

0 Helpful

MHM Cisco World
VIP
VIP
In response to the-lebowski

‎04-24-2025 09:09 AM - edited ‎04-24-2025 11:00 AM

So its FTD hardware but running ASA code so this still applies?  This was my original thought as well but wanted to be sure. It work for FTD and ASA 

Also what happens with tunnel all profile, does that traffic still go out ISP1 or will it take default route configured towards ISP2?  Add tunnel-all will make traffic go toward ISP2' but we usually use tunnel-all to direct vpn traffic to out via same ISP interface not via other ISP.

MHM

0 Helpful

the-lebowski
Level 4
Level 4
In response to MHM Cisco World

‎04-24-2025 09:55 AM

What I was asking for tunnel-all hairpin/uturn traffic back to the internet and which interface that will take?  We have NAT statements for that specific traffic (anyconnect TA client > firewall > internet) and it points to ISP1 which AnyConnect is configured on.   There was some concern that traffic would take the default route out ISP2 and cause a NAT issue but not so sure.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to the-lebowski

‎04-24-2025 11:01 AM

If we use tunnel-all and traffic egress via one interface and hairpin via other interface the traffic will drop.

So we need to use only split tunnel not tunnel all.

MHM

0 Helpful

the-lebowski
Level 4
Level 4
In response to MHM Cisco World

‎04-25-2025 11:52 AM - edited ‎04-25-2025 11:53 AM

So no way to make TA work when using separate outside interfaces for AnyConnect and egress traffic?   Getting confused with the back and forth and just want to make sure TA will work when configuring AnyConnect and egress traffic on different interfaces.  

0 Helpful
Customers Also Viewed These Support Documents