You would not do that using

vaibhav58 · ‎09-27-2016

Hi,

I got two ISP terminating on my cisco asa 5505.

ISP1 has the default route with metric 1 and all internet traffic goes through it , Global NAT is for this ISP.

I want to use my ISP only for VPN connections but i cannot even ping the second ISP from outside.This ISP2 has the default route pointing to it with metric 2.

Please let me know if this is even possible as I tried to search for this and did not find anything supporting this.

Regards

Vaibhav

Marvin Rhoads · ‎09-27-2016

Yes, I have setup a couple like this. They were 5510 or higher but the concept is the same.

We typically use IP SLA with the default route tracking an rtr operation. This is as described in this document:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Other than that, just put definitions for both your public addresses in your peer's VPN setup. When your primary link is not available it should fail over to your secondary link and that link now has your default route and thus reaches the peer's address via that path.

vaibhav58 · ‎09-28-2016

Hi Marvin,

Thanks for this.

But we do not want to use ISP failover . We want to use first ISP for outbound and other only for VPN, so no failover us requried.Another important thing is we are on 8.2 version.

Current route statement is :

route ISP1 0.0.0.0 0.0.0.0 x.x.x.x 1
route ISP2 0.0.0.0 0.0.0.0 y.y.y.y 2

NAT is :

global (outside) 1 interface

nat (inside) 1 My-LAN 255.255.255.0

SO in this case , with my secondary ISP having a route with lower metric , is it possible to have a site to site VPN configured

Thanks in advance!!

Regards

Vaibhav

Marvin Rhoads · ‎09-28-2016

You would not do that using default routes., You would need to set a host route (/32) to your site-site VPN peer telling it to use the ISP2 interface and ISP2 gateway.

In that case, most specific route would be used vs metric.

VPN on backup ISP