Re: VPN

networkanalyst · ‎09-26-2022

Hello all,

I'm doing a firewall project and currently I need to remote access user to route to a difference next hop than the one they use currently.

Flow is the Anyconnect remote access users terminate onto the ASA and route internally to internal servers they airpin if using default route to the internet pretty standard.

new set up is I want the the vpn users to be policy based routed and to go to next hop which is another firewall is this possible?

MHM Cisco World · ‎09-26-2022

I think If I understand you
ASA1 is end of VPN anyconnect
Anyconnect will forward to ASA2 which have default route different than ASA1 ?
if above Yes then you need PBR in ASA2
and in ASA1 you only need static route to ASA2

networkanalyst · ‎09-26-2022

ASA1 is the vpn headend it won't forward to ASA2 be default it will go south to ASA3, ASA2 is new firewall which is also connected to internet.

Normal path is ASA1 to ASA3 , ASA3 sendings to ASA2 if default route, if lan then ASA3 sends to to the LAN which is it connected to.

What we trying to do is send anyconnect clients from ASA 1 and from ASA1 if default route then to internet if LAN resources send to ASA3

hope this makes sense.

MHM Cisco World · ‎09-26-2022

can you draw the topology ?