[5510] IPSec on outside and DMZ interfaces

Unanswered Question
Sep 27th, 2009
User Badges:

Hi all,

I have a little question on IPSec on ASA5510.

I want to have a L2L tunnel IPSec on both outside and DMZ interfaces with only two networks.

The VPN on the DMZ interface will be the backup of the outside.

You can see the network diagram in attachment.

Both tunnel seems to mount correctly (one at a time) but with my DMZ interface, I have not connection.

Is there an issue to solve my problem ?

Thanks a lot,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
auraza Mon, 09/28/2009 - 06:54
User Badges:
  • Cisco Employee,

You can have tunnels on two interfaces, but you have to make sure your routing is set up to send traffic out that interface.

If you only want it as a backup, then you need to do something like IP SLA monitoring with route tracking, so when the monitor fails over one link, the route will fail over to the second link.

Similar to this link:


PS. If you found this response helpful, please rate it.

frederic.peng Mon, 09/28/2009 - 07:41
User Badges:

Hi, thanks for your reply.

In fact, I want to have both interface : Outside & DMZ.

The outside interface will only use to nat the inside to Internet and the DMZ will have the VPN.

If my ISP on DMZ failed, I want to have the VPN on my outside interface.

So sla don't answer to my problem ...

Routing seems to cause problem between the two interfaces (dmz, outside) with the same range (the inside).

Finally, i think it's not possible ... but if you have a solution ! ...

auraza Mon, 09/28/2009 - 07:47
User Badges:
  • Cisco Employee,


Looks like it will be difficult to get that working. You could use host routes with the route tracking for the VPN networks and the VPN peer IPs, where it prefers the DMZ interface, however, when it fails, the route is removed, and everything flows out the default interface. The problem with that however, is that the site you are connecting to will need to be set up to allow dynamic connections, with DPD enabled, so it detects when the original IP is unreachable.

This is definitely a tricky solution, but it could work.


This Discussion