05-18-2011 04:13 PM
Hi is it possible to configure an ASA 5505 with two internet connections? One dedicated for VPN and the other one for Internet access only.
If you have an example to share.
Thanks a lot
David
Solved! Go to Solution.
05-18-2011 05:08 PM
I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?
Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.
05-18-2011 04:14 PM
Site to site VPN or Remote Access VPN?
05-18-2011 04:17 PM
Hi Roman, thanks a lot. It is Site to site VPN
Thanks
David
05-18-2011 04:20 PM
Ok that's good, as if it was Remote Access VPN then it wouldn't make any sense since you can only have one default route for unknown public IP addresses.
Yeah, I don't see why you couldn't do this. You are not restricted to terminating VPN connections on the outside interface. You basically would create a DMZ VLAN interface and terminate VPN on that public IP. You would need to configure static routes for all remote site-to-site VPN public IP end points to point to the second ISP default gateway.
In case of 5505, you need to make sure you have a Security Plus license, without it you have no support for DMZs.
05-18-2011 04:29 PM
Hi Roman, thanks a lot, I'm trying to do this but only I can access to internet I have 2 internet connection with this configuration:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
interface Vlan1
nameif inside
security-level 100
ip address 10.5.0.1 255.255.255.0
!
interface Vlan2
nameif outside-vpn
security-level 0
ip address 186.125.158.2 255.255.255.248
!
interface Vlan3
nameif LAN-ADSL
security-level 1
ip address 10.0.0.1 255.255.255.0
global (LAN-ADSL) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 10.5.0.0 255.255.255.0
access-group 100 in interface outside
access-group Internet in interface LAN-ADSL
route LAN-ADSL 0.0.0.0 0.0.0.0 10.0.0.2 1
route outside 10.5.1.0 255.255.255.0 186.125.158.1 1
route outside 10.5.2.0 255.255.255.0 186.125.158.1 1
route outside 10.5.3.0 255.255.255.0 186.125.158.1 1
Since I add the internet connection, the VPN is not longer available.
ciscoasa(config)# sh crypto isakmp sa
There are no isakmp sas
Do you think I'm missing something?
Thanks a lot
David
05-18-2011 04:32 PM
Please reread second paragraph in my previous post.
05-18-2011 04:43 PM
Hi Roman, thanks a lot, yes I have the security plus license and allow me up to 20 vlans.
I follow your advice with the static routes but I the VPN is not UP yet.
Any additional sugggestion will be appreciated
Thanks a lot
David
05-18-2011 04:49 PM
Yes, I was referring to the static routes. I don't see them in the above config.
Can you post full config?
05-18-2011 05:04 PM
05-18-2011 05:08 PM
I see you have a static route only for 186.125.164.178, so you are only testing crypto map 2, right?
Your nat (inside) 0 uses ACL inside_nat0_outbound_1 which doesn't seem to have the exclusion for 10.5.3.0/24 remote network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide