cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1243
Views
0
Helpful
5
Replies

VPN and web on two links

danilokorber
Level 1
Level 1

Hi all,

I've been looking through the group and see a lot of questions about
load-balancing outbound traffic on two internet links. My question is
a bit different and I can't seem to find an answer online.

I've got an ASA 5550 with 2 internet links,A and B.
Currently, the ASA is doing NAT for the office network over the A
connection and receiving incoming VPN client connections on that same
A connection. This is all fine. But what I would also like to
have, is the ASA accepting VPN client connections on the B link. I
can't seem to get this working.

Anyone got an idea where to look?

Thanks!

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

No, this is not something that is supported. VPN Client connecting to both 2 ISP links requires 2 default gateways which are active at the same time. ASA does not support this setup. It does not support 2 default gateways active at the same time. It only supports 2 ISP links when one is configured as a backup when the primary ISP link went down.

You can however configure the second ISP for site-to-site VPN and the first ISP for vpn client and normal outbound internet access. Because with site-to-site vpn, you know the static ip address of the peer, so you can create static route to the peer pointing towards the second ISP link.

Hope that makes sense.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

No, this is not something that is supported. VPN Client connecting to both 2 ISP links requires 2 default gateways which are active at the same time. ASA does not support this setup. It does not support 2 default gateways active at the same time. It only supports 2 ISP links when one is configured as a backup when the primary ISP link went down.

You can however configure the second ISP for site-to-site VPN and the first ISP for vpn client and normal outbound internet access. Because with site-to-site vpn, you know the static ip address of the peer, so you can create static route to the peer pointing towards the second ISP link.

Hope that makes sense.

Hi Jennifer.

Thanks for the quick answer. It help a lot, although made me sad...

I thought route maps could be a solution....

No, unfortunately route-map in ASA can't be used for that.

Pls kindly mark the post as answered so others can also learn from your post. Thank you.

Hi Jennifer,

what if I have two ASA working as active-active failover. Can I use navigation on link A and VPN on link B, both links on different appliances?

Hi,

Active/ Active failover means the ASA are in multiple context modes. VPN is not supported on multiple contexts.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146698

Regards,

Anisha

P.S.: Do rate helpful posts.