2 wan ports for VPN on 5510?

Unanswered Question
Mar 12th, 2009

Anyone?...Bueller?

I wanted to move my 30 site-to-site VPNs to another WAN circuit. I configured a second interface on the asa5510 for my other wan circuit and re-created my test VPN profile for the second interface. On the remote side is an asa5505. I can ping from the remote side to a host behind the 5510. I can see the ping requests and replys on the host and in the 5510 log it appears they are going out but I never see them on the remote side. The default route is the original interface, and there are 30 or so active VPNs there. I created a second static route out the second interface to the 5505's IP. Not sure if that was needed but it made sense. Anyone have an idea how to troubleshoot this? Or is it even possible?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

(I am assuming second interface is from another Internet Provider)

Well you need to take help of static routes in this case. Since original interface is having default route attached to it, all the traffic would go through that interface only. But in case if you want one tunnel to terminate on the second interface you created, you can fire static route for the peer of that VPN with the next hop of the router which is connected to second interface. For example:

Interface 2 on ASA: 10.10.10.10

Router connected to Interface 2: 10.10.10.11

Site to Site VPN Peer: 1.1.1.1 (You want to move this peer to second interface)

Make a static route on ASA:

route (your second interface name) 1.1.1.1 255.255.255.255 10.10.10.11

And so on for every Peer you can make a static route and on those Peers you can define this Interface IP (10.10.10.10) as Peer

The rest of the configuration would be same I think. Cheers.

ciscospaz Mon, 03/16/2009 - 09:05

Thanks for your suggestion. This had already occured to me and it's what got the IPsec to establish the tunnel. What happens is I ping from hostB on the remote side subnetB, I see the packets come in to hostA across the tunnel. The hostA sends replys, and the ASA on subnetA builds the outbound connection, but the packets never reach hostB.

ciscospaz Mon, 03/16/2009 - 10:18

Yes I've done this

route <2nd interface name> 255.255.255.255

This is what got the IPSec tunnel established.

Hold on...my upstream router may be dropping the ping packets, since other apps are working... I'll let ya know.

Actions

This Discussion