VPN L2L connection using 2 different WAN interface on central ASA

Unanswered Question
Apr 23rd, 2009
User Badges:

Hello everybody

I am new to ASA configuration and I need some advice.

I have an ASA IPSEC VPN Hub and Spoke configuration with fixed IP@ (outside) on the central ASA and dynamic IP@ on the spokes.

I have now a new ISP link connected to my central ASA (new interface let's say outside2) and I'd like to migrate some L2L VPN links to that new interface 'outside2', whereas some remain on the other interface 'outside'.

Is that possible ?

I can't understand what to do with the routes. The central ASA can only have one default route but how is it aware of the public IP@ of the spokes in order to establish the tunnel via outside or outside2 interface ?

Thanks for your help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
plumbis Fri, 04/24/2009 - 19:15
User Badges:
  • Silver, 250 points or more

I believe the only way to accomplish this would be with static routes to the remote sites pointing at your new outside2 interface. Then configure your tunnel normally with the remote site pointing to the outside2 IP as its remote peer.

cminard Sun, 04/26/2009 - 23:49
User Badges:

I was afraid of that answer ...

Since remote sites have dynamic IP @, I cannot know in advance which @ they will have so I cannot configure static routes to them ...

Is there no way to force the central ASA respond using interface outside2 when a VPN peer explicitely tries to establish a tunnel to that interface ?

Then, when the VPN tunnel is OK, the inside network @ of remote sites are automatically pushed in the local ASA routing table, isn't it ?


This Discussion