Multiple interfaces for site-to-site VPN on ASA

Unanswered Question
Sep 14th, 2010
User Badges:

Is it possible to segment site-to-site VPN traffic to different output interfaces on the ASA platform.  I would like to direct site-to-site VPNs from partners to a different interface than site-to-site VPNs from corporate sites.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Tue, 09/14/2010 - 11:13
User Badges:
  • Silver, 250 points or more

On an ASA, you can only have one default route (0.0.0.0/32) going to a single interface, but you should be able to use the other interfaces for VPN connections.


For example:


Interface  outside1      IP Address: 1.2.3.4/24 with default gateway of 1.2.3.1/24

Interface  outside2      IP Address: 2.3.4.5/24 with default gateway of 2.3.4.1/24


You would have your normal default route of route outside1 0.0.0.0 0.0.0.0 1.2.3.1 and you would point your corporate VPN tunnels to the endpoint peer address of 1.2.3.4.


You would then have routes for your partner sites going out interface outside2.  For example, a partner with IP of 4.5.6.7 you would:  route outside2 4.5.6.7 255.255.255.255 2.3.4.1.


Point the partner VPN endpoints to build a tunnel to your external address of 2.3.4.5.


Make sense?

Actions

This Discussion