Can I do load-sharing on the ASA when using Site-to-Site VPN?

Unanswered Question
Mar 19th, 2009

I'm using ASA as a VPN concentrator on HQ site. I've used Public IP addresses on both interfaces,Inside and Outside interfaces. I've had 4 branch sites connecting to HQ using Site-to-Site VPN. How can I do load-sharing with those 2 interfaces on ASA? What I want to do is that 2 branch sites peer with the outside interface and the other 2 branch sites peer with the inside interface. Is this possible? If not,What's the best practice to do?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
thotsaphon Fri, 03/20/2009 - 11:42

Hi Andrew,

Thanks for the prompt. What I'm going to do at HQ site is as follows:

- I've got 2 WANs (2 ISPs)

- I've got a load balance box.

- I've got 2 Public IP Blocks from 2 ISPs

ASA-->Default Route--> LoadBalanceBox--> Separate 2 Wans(2 ISPs)

Outside(Untrust) interface will be assigned with the public ip address of ISP-A.

Inside(Trust) interface will be assigned with the public ip address of ISP-B.

I've got 4 branch sites to do site-to-site VPN with HQ site.

I want the 2 branch sites to peer with the outside interface on the ASA (Via ISP-A).

I want the other 2 branch sites to peer with the inside interface on the ASA (Via ISP-B). But traffic will go from outside-to-inside. Is this allowed by ASA?

Hopes I explained a bit more about my question in detail.

Please share what you guys think.



thotsaphon Fri, 03/20/2009 - 12:26

Hi Andrew,

That's why I called "Load-Sharing". I want to use 2 ISPs for peering IPSec VPN. Actually I can do NAT(udp/500,4500) on the device connecting to the ISP-A to terminate IPSec packet on the outside interface as the packets coming from the ISP-B. I just want to know that ASA allows us to do IPsec peer with the inside interface but packets coming from the outside interface or not.



JamesLuther Fri, 03/20/2009 - 12:28

Hi Toshi,

This isn't how I would implement.

It sounds like you have two Provider Allocated (PA) IP ranges and therefore you require two interfaces with public IPs. However I would configure two outside interfaces and IP your inside interface using private addressing. ie

interface Ethernet0

nameif ISP1

security-level 0


interface Ethernet1

nameif ISP2

security-level 0


interface Ethernet4

nameif inside

security-level 100

ip address

VPN traffic will be allowed to go from outside to inside if it's defined in the crypto ACL.

There are also lots of other designs you could do ie with a layer of routers and NAT or multi context mode ASA.



thotsaphon Fri, 03/20/2009 - 12:34

Hi James,

Thanks for that. The inside interface is connecting to all hosts assigned with the public ip addresses of ISP-A. This is the existing network. That's why I can't do 2 outside interfaces on the ASA



thotsaphon Fri, 03/20/2009 - 13:40


Don't get me wrong. I indeed have 2 interfaces,Outside and Inside. They both have been assigned with the different public ip addresses from the different ISPs. My question is "Does ASA allow us to use the inside interface to do IPSec peer with the other devices comming from the outside interface?".




This Discussion