09-08-2021 02:20 AM
Hi All,
I work for an MSP, where we host virtual environments for customers, and each customer is hosted behind a dedicated virtual ASA, which we then build IPSEC tunnels from whatever device they have in their office, to the ASAv in our data center.
One customer wanted the VPN to their corp office to use 0.0.0.0/0 as the remote subnet. So our side of the tunnel is 192.168.1.0/24 and their side is 0.0.0.0/0. Yes, this has caused all the problems you can imagine it would. They would now like us to add a second tunnel to a different endpoint, and terminates to a specific network, 10.1.1.0/24.
Is there a way to set this up without changing the first tunnel to be specified networks? Is there a way to put in route statements, or prioritize which tunnel gets used first? I've had the discussion with the customer many times about terminating to 0.0.0.0/0 everytime they complain that something doesn't work from a network or internet perspective, but they still refuse to name networks on the first tunnel, because they don't want to have to change the tunnel any time the spin up a new network or remote site on their side.
Solved! Go to Solution.
09-08-2021 02:32 AM
The lower the sequence number, the higher the priority - so ensure the second tunnel has a lower sequence number than the original tunnel (0.0.0.0/0), then traffic will only be routed over the original tunnel if it doesn't match any of the other sequence numbers with a better priority.
09-08-2021 02:32 AM
The lower the sequence number, the higher the priority - so ensure the second tunnel has a lower sequence number than the original tunnel (0.0.0.0/0), then traffic will only be routed over the original tunnel if it doesn't match any of the other sequence numbers with a better priority.
09-08-2021 02:50 AM
That was what I was suspecting. We will give it a try, thank you very much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide