Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
2
Replies

VPN site-to-site over specific WAN line

RexPr
Level 1
Level 1

‎10-14-2021 02:44 AM

I have one ASA with 3 wan, configured for internet access and site-to-site VPN with remote office. I'm not sure which WAN line is used for VPN traffic. How to check, and how to force a specifiv WAN for VPN traffic?.

 

Fabrizio

Fabrizio www.rfc.it
Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎10-14-2021 02:48 AM

@RexPr if you already have a VPN established, run "show crypto ipsec sa" and look for the "local addr" near the top of the output, this will confirm your local IP address of the interface used to establish the VPN.

 

If you wish to force the VPN to establish on another interface and if the other interface is not the default route, create a static route to the peer's public IP address via the other WAN interface. Enable the crypto map and ikev1/ikev2 on the other WAN interface.

 

HTH

0 Helpful

RexPr
Level 1
Level 1
In response to Rob Ingram

‎10-25-2021 02:08 PM

Hello @Rob Ingram, thank you for your advice and sorry for my late reply. I've followed your suggestions, all seems ok, but the traffic is routed on the wrong interface. This is clear also looking at the interfaces statistics.
The local address shown on "show crypto ipsec sa" command is correct. Also, I have inserted a specific route for peer interface, but without result. :-).

 

F.

 

Fabrizio www.rfc.it
0 Helpful
Customers Also Viewed These Support Documents