cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2334
Views
0
Helpful
8
Replies

Dual isp setting on asa 5510

mburguk1000
Level 1
Level 1

I have a issue where i want to configure an additional ISP interface on our ASA 5510

I already have one isp working but are unable to implement second isp. All i want the secondary connection to do is be able to accept VPN traffic for remote users

So far I have connected second interface with security level of 0 being an outside interface  and a route with a metric of 2

I haver amended security policy as wel but still are unable to connect from outside ?

Any help would be greatly appreciated

Thanks

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

mburguk1000 wrote:

I have a issue where i want to configure an additional ISP interface on our ASA 5510

I already have one isp working but are unable to implement second isp. All i want the secondary connection to do is be able to accept VPN traffic for remote users

So far I have connected second interface with security level of 0 being an outside interface  and a route with a metric of 2

I haver amended security policy as wel but still are unable to connect from outside ?

Any help would be greatly appreciated

Thanks

Presumably the firewall has a default-route pointing to ISP1 ?

So you will need specific routes for your VPN connections pointing to ISP2 ie.if you are trying to connect from 195.17.17.10 you would need a route on your firewall

route (outside2) 195.17.17.10 255.255.255.255   <-- where outside2 is the new interface you have added.

Jon

what I did was route 0.0.0.0 0.0.0.0  ISP2 next-hop (which I had a metric of 2 )   as it would be people conecting via  cisco VPN client

mburguk1000 wrote:

what I did was route 0.0.0.0 0.0.0.0  ISP2 next-hop (which I had a metric of 2 )   as it would be people conecting via  cisco VPN client

But when would that ever get used because your other default-route would take precedence. How would the ASA know that you wanted to use a different default-route when the VPN clients connected ?

To override the default-route you will have to use host specific routes for VPN clients or subnet specific routes but that is going to be difficult because your VPN clients could connect from anywhere with any IP presumably ?

Jon

yes thats right, and this is where I have reached a dead end or not quite understanding what needs to be done

mburguk1000 wrote:

yes thats right, and this is where I have reached a dead end or not quite understanding what needs to be done

Okay, unfortunately you don't have many options. If it was non-VPN traffic you could use multiple context on your ASA and have 2 virtual firewalls but multiple context does not support VPN. And the ASA does not support PBR so that is ruled out as well.

Unless you can tie down the internet source IP addresses of the VPN clients so you can add routes you can't make this work with one ASA. You would need a 2nd independant ASA for the VPN traffic.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Ok thank you for your help and understanding

Apply this to your scenario.

Substitute with the proper protocols for which Remote Access VPN you are using.

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route backup 0.0.0.0 0.0.0.0  y.y.y.y 2

nat (inside) 1 0 0
global (outside) 1 interface
global (backup) 1 interface

static (outside,inside) tcp 0.0.0.0 www 0.0.0.0 www netmask 0.0.0.0
static (backup,inside) tcp 0.0.0.0 smtp 0.0.0.0 smtp netmask 0.0.0.0

Rodrigo Gurriti
Level 3
Level 3

OK

What we have here is simple ok .

The remote side will try connect to your VPN thru your 2nd ISP ok

BUT the default route to responde  its thru the 1st ISP ok

What is going to happen is that your remote will go nuts because its going thru one destination and getting a replay to an different host because in the route table its going to prefer the host with a better "cost"

What do you do to FIX IT

You got to add an specific route for that connection lets say

Remote VPN devise: 192.168.0.1

2ndISP: 10.0.0.1

route 2nd_ISP 192.168.0.1 255.255.255.255 10.0.0.1

That way your ASA will prefer to respond thru your 2nd ISP because it has a more specific route !

Understand that you never will be able to balance them, just because the appliance don't run BGP but if you have a router before you can run BGP w/ the ISP ( of course you need an AS ) and then run OSPF w/ the router having the both interfaces with equal cost and it'll get balanced

I hope i undestood what you asked ... try it out

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: