Dual Internet Link For VPN

Unanswered Question
Feb 23rd, 2010

I have firewall ASA 5510. Currently I am having 2 Mbps Internet link. Everything is working fine but one of the branch users where we are having site to site connection is complaining about the slowness. So we have decided to arrange one more Internet Link which we will only use for that branch site to site VPN connectivity.

I want to configure my firewall in that way that when subnet

Head office subnet:

Branch office :

wants to reach other other their VPN traffic should go to the second 1 Mbps link. I dont want to have any load balancing or any failover.

I just want to configure firewall for site to site VPN in a way that when subnet ( wants to reach particular destination ( It should go to the second Internet Link and other traffic for remote access VPN and other site to site tunnels should use the 2 Mbps link.

Please help me out this is very urgent. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
joneschw1 Tue, 02/23/2010 - 10:24

Well, your going to need to configure an interface on the ASA to have that 2nd internet connection.  Then, you would configure the peer at the remote side to point to the public IP address of the 2nd interface on the ASA5510.  After that, you'd need to configure the vpn portion.  Ive never tried this but I believe it will work so:

Main Office ASA

Interface Ethernet0/3

description P2P VPN Interface

nameif vpnp2p

security-level 1 (you could make this 0 as well but it depends on the code version)

ip address public.ip.address.ofnewconnection 255.255.255.x

no shut

Add the access-list to bypass nat (You probably already have this in your firewall but just in case from your other vpn stuff)

access-list bypassnat extended permit ip

Add the access-list to identify that vpn traffic (you already have this as well probably)

access-list remotesitevpn extended permit ip

apply the nat bypass

nat (inside) 0 access-list bypassnat (this is probably already there)

Write mem at this point then:

crypto map outside_map 25 match address remotesitevpn
crypto map outside_map 25
crypto map outside_map 25 set peer remote. ip.address.ofbranch
crypto map outside_map 25 set transform-set ESP-3DES-SHA
crypto map outside_map interface vpnp2p
crypto isakmp enable vpnp2p

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha    
group 2
lifetime 86400
no crypto isakmp nat-traversal

tunnel-group remote. ip.address.ofbranch type ipsec-l2l
tunnel-group remote. ip.address.ofbranch ipsec-attributes
pre-shared-key *************

The remote office asa would stay the same except you make the changes to point it to the new IP address.

wasiimcisco Tue, 02/23/2010 - 11:23

Thanks for the reply, I can understand the VPN configuration but what about routing how I will send the traffic towards the new Internet link.

My firewall has one default route towards the ISP 1

When I will connect my second internet link how to send traffic towards teh second Internet Link.

How to configure routing.

joneschw1 Wed, 02/24/2010 - 07:22

Ah, I see.  Sorry for the misunderstanding.  What you want is policy based routing (PBR).  Unfortunately, I do not believe that is available yet for the ASA. I saw somewhere that it was on the road map, but who knows...You might look at doing some QoS for the site to site VPN (which is available), or you can purchase a router to do the PBR for you.  I think you could trick the ASA by using static entries and then having 2 routes but that would probably send all vpn traffic from a certain host out the 2nd connection.  I'd probably try the QoS first and see what they say.



This Discussion