cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
575
Views
0
Helpful
2
Replies

VPN site-to-site over specific WAN line

RexPr
Level 1
Level 1

I have one ASA with 3 wan, configured for internet access and site-to-site VPN with remote office. I'm not sure which WAN line is used for VPN traffic. How to check, and how to force a specifiv WAN for VPN traffic?.

 

Fabrizio

Fabrizio www.rfc.it
2 Replies 2

@RexPr if you already have a VPN established, run "show crypto ipsec sa" and look for the "local addr" near the top of the output, this will confirm your local IP address of the interface used to establish the VPN.

 

If you wish to force the VPN to establish on another interface and if the other interface is not the default route, create a static route to the peer's public IP address via the other WAN interface. Enable the crypto map and ikev1/ikev2 on the other WAN interface.

 

HTH

Hello @Rob Ingram, thank you for your advice and sorry for my late reply. I've followed your suggestions, all seems ok, but the traffic is routed on the wrong interface. This is clear also looking at the interfaces statistics.
The local address shown on "show crypto ipsec sa" command is correct. Also, I have inserted a specific route for peer interface, but without result. :-).

 

F.

 

Fabrizio www.rfc.it