Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4592
Views
10
Helpful
11
Replies

How do you configure VPN traffic to go through another interface than the default route?

Jeroen Janssens
Level 1
Level 1

‎06-17-2018 11:37 PM - edited ‎03-12-2019 05:23 AM

My ASA has already 3 interfaces configured: outside (internet ISP#1), publilink (extranet ISP#1) and inside.  Our current VPNs connect through the outside interface.  The outside interface is also the default route for all traffic to the internet.  Traffic that needs to go over the publilink interface is routed via static routes.

 

I now want to add a second "outside" interface to a second ISP named telenet.  This will become the new default route to the internet.  The outside interface will remain as backup route to the internet.  But I want to keep all the VPN traffic over the outside interface as well.  For the site-to-site VPNs I can static route this traffic to the outside interface but all other VPN options no longer work while the telenet interface is up.  I suspect this is because the routing of the VPN traffic goes over the telenet interface in stead of over the outside interface. 

 

How can I solve this issue? Is there a way to configure that VPN traffic needs to go over a specific interface?

Labels:
0 Helpful
11 Replies 11

Bogdan Nita
VIP Alumni
VIP Alumni

‎06-17-2018 11:51 PM

You could use PBR in order to be able to send the traffic to the outside interface, base on the source IP and port. https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/route-policy-based.html HTH Bogdan

Jeroen Janssens
Level 1
Level 1
In response to Bogdan Nita

‎06-18-2018 01:22 AM

If I understand this correctly, I need to add the following commands:

 

access-list VPN-Outside-acl extended permit tcp any any eq 10000
access-list VPN-Outside-acl extended permit udp any any eq 500

 

route-map VPN-Outside-map permit 10
match ip address VPN-Outside-acl
set interface Outside

 

interface inside
policy-route route-map VPN-Outside-map

 

I am not sure if the ACL is sufficient to capture all the VPN traffic.

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Jeroen Janssens

‎06-18-2018 01:56 AM

After looking at the config I realized that you would need to apply the route-map to traffic generated by the box (local policy route-map) and as far as I know, that is not possible on the asa.

I found this post that indicates that if you have a second default gateway with higher metric on your outside interface, anyconnect will work, but not IPSec.

https://supportforums.cisco.com/t5/vpn/asa-9-4-1-pbr-local-traffic/td-p/2697093

 

Another option would be to have separate contexts for the 2 internet connections, if you are not planning to use one as backup.

 

HTH

Bogdan

0 Helpful

Jeroen Janssens
Level 1
Level 1
In response to Bogdan Nita

‎06-25-2018 01:58 AM

I have a second ASA I can use.  Would that help?  Can I configure what traffic goes to which ASA on my L3 switch (3560)?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jeroen Janssens

‎06-25-2018 02:23 AM

What you wanted to do with your single ASA cannot really be done. PBR doesn't help unless you have a delineated source or destination address or set of addresses that you want to exclusively use the second connections. Given that remote clients generally come from more or less random addresses nd the resources they access also need to use your primary Internet, PBR is a dead end.

 

A second ASA could certainly do that easily. You connect it to telenet alone and the VPN pool addresses are routed from your L3 switch to that ASA's inside interface.

0 Helpful

Jeroen Janssens
Level 1
Level 1
In response to Marvin Rhoads

‎09-15-2018 01:47 AM

I have chosen to redirect all the VPN tunnels to the new Telenet (new provider) interface.  All the site to site vpns are now active again.  But I cannot seem to get the remote access vpn to work.  I removed all the config from the previous remote access vpn and used the asdm wizard to set up a new one.

 

!ASA
!Single Routed
!15-sep-18_10.01.33
!Preview CLI Commands  
 
group-policy GADVPNT internal
group-policy GADVPNT attributes
  vpn-tunnel-protocol IPSec
  dns-server value 10.0.12.32 10.0.12.16
  default-domain value lede.local
tunnel-group GADVPNT type ipsec-ra
tunnel-group GADVPNT general-attributes
  default-group-policy GADVPNT
  authentication-server-group  group1 
  address-pool  VPN_GAD
tunnel-group GADVPNT ipsec-attributes
  pre-shared-key *****

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Telenet_dyn_map 100 set  pfs group2
crypto dynamic-map Telenet_dyn_map 100 set  transform-set  ESP-3DES-SHA

 

I did a test from a computer that uses another ISP to connect via VPN Client.  The isp ip address for the test computer is 84.199.15.138.  The public IP address I am contecting to is 213.119.99.26.  In the ASDM log I saw the following message: Deny IP spoof from (84.199.15.138) to 213.119.99.26 on int Telenet.

 

What could be the issue here?

If there are any debug commands that could help, please let me know ...

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jeroen Janssens

‎09-15-2018 07:14 AM

I'm not sure I understand what you're trying to do.

 

Is this related to using two ISPs - one as the default route and another to take only VPN traffic? As I noted earlier, you really cannot do that for remote access VPN. You can do it for site-site with static routes.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎09-15-2018 12:05 PM

It appears that the remote access vpn here is to be IPSEC (rather than AnyConnect). Am I correct in assuming that this would use a dynamic crypto map entry for the remote access vpn traffic? Would it not be possible to associate that dynamic crypto map with the desired ISP interface?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Richard Burts

‎09-16-2018 04:58 AM - edited ‎09-18-2018 06:21 AM

Hi Rick,

 

Whether the remote access VPN is IPsec IKEv1 or SSL/IPsec IKEv2 (AnyConnect) we can always bind the service to any available interface.

 

The problem is routing. Even though the traffic comes in to a given interface, the return traffic will use a route lookup in the ASA's routing table. For random Internet-based addresses the ASA will only know to use the default route, resulting in asymmetric flows and the inability to establish a connection.

Jeroen Janssens
Level 1
Level 1
In response to Marvin Rhoads

‎09-17-2018 12:13 AM

I still have both ISPs. The new ISP is now the default route to the internet.  Previously I wanted to keep the VPNs going via the original ISP but since that was not possible, I reconfigured all the site-to-site vpns to connect through the new ISP interface.  That part I have working now.  But the remote access vpn won't come up when I try to configure it through the new ISP.

0 Helpful

Daniel Stefani
Level 1
Level 1
In response to Marvin Rhoads

‎09-09-2022 06:36 PM

Hi Marvin, 

Is this information still current or Firewall ASA already have some new functionality to support dual ISP for RA VPN connections?

Best Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents