Buy or Renew
Buy or Renew
ATTENTION: We are currently working an issue with posting. Thank you for your patience while we work on a resolution.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
6
Replies

VPN traffic through a secondary ISP

Go to solution
jose cortes
Level 1
Level 1

‎05-13-2011 08:43 AM

Hi everybody,

A customer asked me for implement this topology:

5505 VPN DSL connection.png

where:

ISP 1 is used as Primary internet connection.

ISP 2 will be used to connect remote users by means of VPN IPsec.

Currently, I'm not looking for Active/Backup functionality, I need to know if I can use both ISP connections (as I wrote before) one ISP for the company internet connection and the other one for the remote user VPN access.

I have read some post where is said that is possible, but, I want to be sure.

regards,

Jose

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to jose_cortes

‎05-13-2011 12:31 PM

ASA should add the static route into the routing table automatically when VPN client is connected. So, in general, you don't need to do anything. But if it doesn't, you can just manually configure one which will forward any packet to VPN client's IP to ISP2.

Regarding to NAT, in general, VPN traffic should bypass the NAT. You can use "nat (inside_interface_name) 0 access-list" with a ACL which define the vpn traffic to do that.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Yudong Wu
Level 7
Level 7

‎05-13-2011 10:04 AM

yes, it works.

VPN client will point to public IP on the interface facing to ISP2. When the vpn traffic from client reachs ASA, ASA will forward it based on its routing table.

The traffic from internal to VPN client again will be forwarded to ISP2 link accordingly since after VPN client is connected, a static route will be added automatically in the routing table which points out to ISP2.

0 Helpful

Go to solution
jose_cortes
Level 1
Level 1
In response to Yudong Wu

‎05-13-2011 11:59 AM

Hi Yudong,

thanks for the reply, when you said:

"The traffic from internal to VPN client again will be forwarded to ISP2 link accordingly since after VPN client is connected, a static route will be added automatically in the routing table which points out to ISP2"

Do I have to set up some kind of Floating route in the ASA or "Literally" the ASA will add the route on the routing table??

Also, what kind of NAT considerations should I have with the NAT process??

regards,

Jose

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to jose_cortes

‎05-13-2011 12:31 PM

ASA should add the static route into the routing table automatically when VPN client is connected. So, in general, you don't need to do anything. But if it doesn't, you can just manually configure one which will forward any packet to VPN client's IP to ISP2.

Regarding to NAT, in general, VPN traffic should bypass the NAT. You can use "nat (inside_interface_name) 0 access-list" with a ACL which define the vpn traffic to do that.

0 Helpful

Go to solution
jose cortes
Level 1
Level 1
In response to Yudong Wu

‎05-13-2011 01:21 PM

thanks a lot Yudong,

Finally, do you have any Guide or link related with this kind of deployment?

Regards,

Jose

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to jose cortes

‎05-13-2011 01:45 PM

Sorry, I don't have a guide about this but it should be straight forward, just the vpn access and internet access are implemented on two different interface.

You can find a lot example configuration in the link below.

http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html

0 Helpful

Go to solution
shivudu1984
Level 1
Level 1
In response to Yudong Wu

‎07-12-2011 01:40 PM

Hi Jose

Can you post your config with vpn packets routed through the sencodary ISP? I have the exact same scenario.

Thx

0 Helpful
Customers Also Viewed These Support Documents