hoping you can help here. We currently have an ASA in place with a single outside interface (public ip address) used for our Site-to-Site VPNs, our Dynamic VPN Clients, our publicly reachable servers and, of course, our outgoing traffic. This outside interface has a default route to our gateway router which connects up to the ISP.
Due to congestion issues (internet traffic slowing our Site-to-Site VPN traffic) we ordered a VDSL link from our ISP (as a PPPoE interface with a dynamic address). We would like to use this link for all our internet traffic, while keeping our VPN traffic on the slower speed, staticly addressed link. Initially we configured the new VDSL link on an ASA interface, using the PPPoE 'setroute' option to install a default route into the ASA with the next hop provided by the ISP. We then created static routes to our gateway router for the remote endpoints of our Site-to-Site VPN tunnels. We were very pleased with our improved access to the remote sites as well as our speedy new internet connection....and then...
We found our dynamic VPN connections broken - of course - as they were using the staticly addressed interface for their tunnel endpoint but the return traffic was going out VDSL interface to the default gateway. The same problem held true for our externably available resources - requests came down the staticly addressed link and responses went out the VDSL link. Traffic behaviour as expected if not as desired
So now we are seeking a solution and have come up with the following bright ideas:
1) keep the router on the WAN side of the ASA and attach the VDSL link there, using it as before as the default gateway for outgoing traffic. This would result in all inbound VPN traffic reaching the ASA on its single, outside interface which would keep the publicly reachable static addresses. However we would have to do some sort of NAT or source routing for dynamic VPN traffic. The more i think about this option the less it looks like a solution.
2) keep everything in the ASA (this is our 'preferred path') but somehow arrange for source routing, or session establishment parameters, to allow us to send traffic out the interface it arrived on. So that if traffic arrived on the VPN, or publicly addressed interface, responses would be send back out that same interface.
a cursory examination of the ASA material has not yielded the information so while i continue searching i thought i'd pose the question to the community as i am certain someone has seen this sort of set up before.
thanks in advance,