Second VPN on ASA

Unanswered Question
Apr 13th, 2010

Hello everyone,

We have a couple of 2811's with ASA5505 behind them at 2 diffrent locations.  The ASAs have the basic license, not Security Plus.  Currently we have a site to site VPN tunnel going from ASA1 to ASA2 through  ISPs on the 2811s.  This tunnel is using VLAN 1 and VLAN2 for a standard outside and inside interface configuration.  Works fine.  We are bringing in a second ISP and since the throughput on the ASAs for 3Des is 100Mbps we want to connect the second ISPs directly to the ASAs and take the 2811s out of the equation for the second ISPs since it is my understanding the ASA can do simple routing on its own now.  The question is will we be able to get the traffic on the inside interface to be able to go across the second tunnel which will be terminated on a different (normally called the DMZ interface I guess) Interface and on VLAN 3?  We would prefer not to have to upgrade to a Security Plus License.  Please feel free to offere any changes that might be needed to make this work if it won't work as desired and stated above.

Thanks in advance!  All replies rated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
angel-moon Tue, 04/13/2010 - 08:58

Just to expand, both tunnels are for the same traffic with the ASA-only  tunnel as the primary tunnel and the tunnel through the 2811s as a backup (hopefully)

Jennifer Halim Tue, 04/13/2010 - 19:52

Sorry, looks like you are contradicting yourself. Initially you said you will remove the 2811 router, and on the second post, you mention that the tunnel will pass through the 2811 router?

So currently you have ASA terminating a LAN-to-LAN tunnel via ISP 1? and you would like to terminate the same tunnel on a second ISP connection (which you will terminate on another interface of ASA)? What is the purpose of terminating the same tunnel via 2 different ISPs? or do you only want to use the second ISP when the first ISP is down? or you would like to use ISP 2 for VPN connection only, and all other traffic through ISP 1?

angel-moon Tue, 04/13/2010 - 20:21

Thanks for your response.  The goal is to get the 2nd ISPs terminating on a different interafces on the ASAs.  We want this to then be the primary VPN tunnel and the current VPN tunnel will only be active if the new one goes down.

Federico Coto F... Tue, 04/13/2010 - 20:30


What you want to accomplish is to have two ISPs connected to the ASA and have two tunnels terminating on it (one active, the other backup?)

Have two L2L tunnels terminating on two interfaces on the ASA (each one via a different ISP).

On the other side, both tunnels terminate on the same device?

Specifying the crypto peer to use the first IP and then try the second IP will accomplish this, along with having a route statement preferring the first IP over the other.



This Discussion