cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1576
Views
0
Helpful
8
Replies

Multiple VPN on a single cisco ASA 5506x

Hello there,

 

I want to configure two vpn on a single ASA. one is for our main internet and second is for backup internet.

 

vpn1.mysite.com on OUTSIDE_1 interface (for main internet)

vpn2.mysite.com on OUTSITE_2 interface  (for backup internet)

 

How can I achieve this goal? 

 

Thanks in advanced 

Ankit 

8 Replies 8

Hi,
I assume you are referring to an AnyConnect Remote Access VPN? If so use the Anyconnect Profile Editor to define a Backup Server of the IP address/FQDN of the OUTSIDE_2 interface.

On the ASA use an IP SLA and track something on the primary outside interface (e.g reachability of the next hop ip address) if that fails it will remove the default static route and install a default route using the backup outside interface. When the primary interface fails the client will attempt to connect to the IP address/FQDN defined in the Backup Server List.

HTH

Hello RJI,

 

thanks for your suck a quick reply.

 

yes, I am talking about remote access vpn.

 

That means I only need to setup backup server Host address(OUTSIDE_2 IP) in the attached image?

i already purchased ssl certificate for vpn2.mysite.com and installed on OUTSIDE_2 interface.

 

I don't need to configure any other thing? like group policy and 2nd anyconnect client profile?

 

Thanks

Ankit

Hi,

You only need 1 AnyConnect profile, define the primary and backup server as per this screenshot

backup list.PNG

 

 

Get your certificate re-issued and include both FQDNs included in the SAN field, therefore you won't get any certificate errors.

 

HTH

 

 

 

 

 

 

 

 

 

Hello,

 

that means i don't need second certificate. 

 

I can add both FQDNs in SAN field and vpn works for both domains?

 

Thanks

Ankit

I don't see why you'd need 2 certificates, you should just be able to enable the trustpoint on both interfaces. E.g.

ssl trust-point LAB_PKI OUTSIDE_1
ssl trust-point LAB_PKI OUTSIDE_2

Hello,

 

Sorry for asking so many questions but I am kind of new in this ASA field.

 

In short, 

re-issue cert with both fqdn, assign to both interface outside_1 and outside_2, configure backup server will solve my issue.

Right?

 

Thanks

Ankit 

Hello RJI,

 

the problem is we are using quick ssl premium certificate and it's not possible to add multiple domains or sub domains under this certificate that's why we are using two different certificates for two vpns.

 

Thanks

Ankit

Hello there,

 

As per your suggestion, I add backup server vpn2.abc.com and it worked if i enter fqdn on cisco anyconnect client.

If i tried with the display name it says Contacting " whataver display name is", it took few seconds and then try to contacting backup server after that but the problem is " conenction is not secure" error show up. 

 

as I said vpn.abc.com is setup on OUTSIDE_1(primary internet) interface with ssl cert and

vpn2.abc.com is setup on OUTSITE_2 (secondary internet) interface.

 

Even if I connect through fqdn I can not access couple things through backup vpn for Example simple help and company app.

 

Thanks