ASA 5505 - Two internet connections

Answered Question
May 18th, 2011

Hi is it possible to configure an ASA 5505 with two internet connections? One dedicated for VPN and the other one for Internet access only.

If you have an example to share.

Thanks a lot

David

I have this problem too.
0 votes
Correct Answer by Roman Rodichev about 4 years 2 months ago

I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?

Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Roman Rodichev Wed, 05/18/2011 - 16:20

Ok that's good, as if it was Remote Access VPN then it wouldn't make any sense since you can only have one default route for unknown public IP addresses.

Yeah, I don't see why you couldn't do this. You are not restricted to terminating VPN connections on the outside interface. You basically would create a DMZ VLAN interface and terminate VPN on that public IP. You would need to configure static routes for all remote site-to-site VPN public IP end points to point to the second ISP default gateway.

In case of 5505, you need to make sure you have a Security Plus license, without it you have no support for DMZs.

david-lima Wed, 05/18/2011 - 16:29

Hi Roman, thanks a lot, I'm trying to do this but only I can access to internet I have 2 internet connection with this configuration:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3

interface Vlan1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface Vlan2
nameif outside-vpn
security-level 0
ip address 186.125.158.2 255.255.255.248
!
interface Vlan3
nameif LAN-ADSL
security-level 1
ip address 10.0.0.1 255.255.255.0

global (LAN-ADSL) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.5.0.0 255.255.255.0
access-group 100 in interface outside
access-group Internet in interface LAN-ADSL
route LAN-ADSL 0.0.0.0 0.0.0.0 10.0.0.2 1
route outside 10.5.1.0 255.255.255.0 186.125.158.1 1
route outside 10.5.2.0 255.255.255.0 186.125.158.1 1
route outside 10.5.3.0 255.255.255.0 186.125.158.1 1

Since I add the internet connection, the VPN is not longer available.

ciscoasa(config)# sh crypto isakmp sa

There are no isakmp sas

Do you think I'm missing something?

Thanks a lot

David

david-lima Wed, 05/18/2011 - 16:43

Hi Roman, thanks a lot, yes I have the security plus license and allow me up to 20 vlans.

I follow your advice with the static routes but I the VPN is not UP yet.

Any additional sugggestion will be appreciated

Thanks a lot

David

Roman Rodichev Wed, 05/18/2011 - 16:49

Yes, I was referring to the static routes. I don't see them in the above config.

Can you post full config?

Correct Answer
Roman Rodichev Wed, 05/18/2011 - 17:08

I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?

Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.

Actions

This Discussion