Terminating VPNs onto multiple ASA outside interface (dual ISP)

Unanswered Question
Mar 19th, 2009

Hi,

I'm configuring a new ASA and have a question on the VPN configuration. I have two outside interfaces, call them "outside1" and "outside2". Each of them go to separate ISPs, and we use "route ... track" to failover to the second ISP if the first one goes down. I was hoping that I could configure the ASA to listen to IP addresses on both ISPs to terminate IPSEC VPN tunnels. Specifically, I'd like to have the IPSEC VPN Client list an ISP1 IP address as the primary VPN address, and an ISP2 IP address as the backup VPN address.

In the pre-ASA days, I had a VPN concentrator terminating VPN tunnels behind a firewall/router doing NAT. The firewall NAT-ed both ISP's addresses (ports 500/4500) over to the concentrator, and it would happily terminate VPN tunnels coming from either ISP.

Now, with the ASA, it seems like it can only terminate tunnels on the primary ISP (i.e. where the default route points), because when VPN clients try to connect into the backup ISP, the tunnel won't come up because the ASA wants to use the default route going back. I opened a TAC case and they said it won't work...

Now WebVPNs to the ASA will, in fact, work to either ISP interface.

Is there any way to achieve this?

It seems like it should work if I were to add a router out in front of the ASA (and NAT the 500/4500 ports just like the old config with the concentrator), but I'd really rather not have to throw more hardware at this if possible.

Thanks in advance...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion