Solved: ASA 5505 - Two internet connections

david-lima · ‎05-18-2011

Hi is it possible to configure an ASA 5505 with two internet connections? One dedicated for VPN and the other one for Internet access only.

If you have an example to share.

Thanks a lot

David

Roman Rodichev · ‎05-18-2011

I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?

Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.

View solution in original post

Roman Rodichev · ‎05-18-2011

Site to site VPN or Remote Access VPN?

david-lima · ‎05-18-2011

Hi Roman, thanks a lot. It is Site to site VPN

Thanks

David

Roman Rodichev · ‎05-18-2011

Ok that's good, as if it was Remote Access VPN then it wouldn't make any sense since you can only have one default route for unknown public IP addresses.

Yeah, I don't see why you couldn't do this. You are not restricted to terminating VPN connections on the outside interface. You basically would create a DMZ VLAN interface and terminate VPN on that public IP. You would need to configure static routes for all remote site-to-site VPN public IP end points to point to the second ISP default gateway.

In case of 5505, you need to make sure you have a Security Plus license, without it you have no support for DMZs.

david-lima · ‎05-18-2011

Hi Roman, thanks a lot, I'm trying to do this but only I can access to internet I have 2 internet connection with this configuration:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3

interface Vlan1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface Vlan2
nameif outside-vpn
security-level 0
ip address 186.125.158.2 255.255.255.248
!
interface Vlan3
nameif LAN-ADSL
security-level 1
ip address 10.0.0.1 255.255.255.0

global (LAN-ADSL) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.5.0.0 255.255.255.0
access-group 100 in interface outside
access-group Internet in interface LAN-ADSL
route LAN-ADSL 0.0.0.0 0.0.0.0 10.0.0.2 1
route outside 10.5.1.0 255.255.255.0 186.125.158.1 1
route outside 10.5.2.0 255.255.255.0 186.125.158.1 1
route outside 10.5.3.0 255.255.255.0 186.125.158.1 1

Since I add the internet connection, the VPN is not longer available.

ciscoasa(config)# sh crypto isakmp sa

There are no isakmp sas

Do you think I'm missing something?

Thanks a lot

David

Roman Rodichev · ‎05-18-2011

Please reread second paragraph in my previous post.

david-lima · ‎05-18-2011

Hi Roman, thanks a lot, yes I have the security plus license and allow me up to 20 vlans.

I follow your advice with the static routes but I the VPN is not UP yet.

Any additional sugggestion will be appreciated

Thanks a lot

David

Roman Rodichev · ‎05-18-2011

Yes, I was referring to the static routes. I don't see them in the above config.

Can you post full config?

david-lima · ‎05-18-2011

Hi, thanks again, here you have the config.

Thanks

David

Roman Rodichev · ‎05-18-2011

I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?

Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.