05-13-2011 08:43 AM
Hi everybody,
A customer asked me for implement this topology:
where:
ISP 1 is used as Primary internet connection.
ISP 2 will be used to connect remote users by means of VPN IPsec.
Currently, I'm not looking for Active/Backup functionality, I need to know if I can use both ISP connections (as I wrote before) one ISP for the company internet connection and the other one for the remote user VPN access.
I have read some post where is said that is possible, but, I want to be sure.
regards,
Jose
Solved! Go to Solution.
05-13-2011 12:31 PM
ASA should add the static route into the routing table automatically when VPN client is connected. So, in general, you don't need to do anything. But if it doesn't, you can just manually configure one which will forward any packet to VPN client's IP to ISP2.
Regarding to NAT, in general, VPN traffic should bypass the NAT. You can use "nat (inside_interface_name) 0 access-list" with a ACL which define the vpn traffic to do that.
05-13-2011 10:04 AM
yes, it works.
VPN client will point to public IP on the interface facing to ISP2. When the vpn traffic from client reachs ASA, ASA will forward it based on its routing table.
The traffic from internal to VPN client again will be forwarded to ISP2 link accordingly since after VPN client is connected, a static route will be added automatically in the routing table which points out to ISP2.
05-13-2011 11:59 AM
Hi Yudong,
thanks for the reply, when you said:
"The traffic from internal to VPN client again will be forwarded to ISP2 link accordingly since after VPN client is connected, a static route will be added automatically in the routing table which points out to ISP2"
Do I have to set up some kind of Floating route in the ASA or "Literally" the ASA will add the route on the routing table??
Also, what kind of NAT considerations should I have with the NAT process??
regards,
Jose
05-13-2011 12:31 PM
ASA should add the static route into the routing table automatically when VPN client is connected. So, in general, you don't need to do anything. But if it doesn't, you can just manually configure one which will forward any packet to VPN client's IP to ISP2.
Regarding to NAT, in general, VPN traffic should bypass the NAT. You can use "nat (inside_interface_name) 0 access-list" with a ACL which define the vpn traffic to do that.
05-13-2011 01:21 PM
thanks a lot Yudong,
Finally, do you have any Guide or link related with this kind of deployment?
Regards,
Jose
05-13-2011 01:45 PM
Sorry, I don't have a guide about this but it should be straight forward, just the vpn access and internet access are implemented on two different interface.
You can find a lot example configuration in the link below.
http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html
07-12-2011 01:40 PM
Hi Jose
Can you post your config with vpn packets routed through the sencodary ISP? I have the exact same scenario.
Thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide