I am adding a second external connection to an existing system on an ASA 5510 with ASA V8.2 and ASDM 6.4
I added the new WAN using an other interface (newwan).
The intention is to route most internet traffic over the new route/interface (newwan) but keep our existing VPNs using the former interface (outside).
I used the ASDM GUI to make the changes and most of it works.
ie. The default route goes via (newwan)
Outgoing VPNs of a site to site nature use the previous route via (outside) as they now have static routes to achieve this.
The only problem is that incomming Remote Access Anyconnect VPNs are not working.
I set the default static route to use the new interface (newwan) and the default tunneled route to be via (outside) but this is the point is goes wrong....
I can no longer ping the outside IP address from an external location.
It seems the outside interface does not send traffic back to the - outside interface (or at least that's where I think the problem lies). How do I force replies to the incomming VPN remote traffic from unknown IPs to go back out on the outside interface?
The only change I need to make to get everything working on the outside interface again is to make the Default Static route use the outside interface. Which puts all the internet traffic back on the original (outside) connection
Any pointers appreciated.
As it is right now you will need to use same interface you have default route over to terminate remote access, unless you know their IPs.
In one of the designs I saw we did something like this.
(ISP cloud) ---- edge router ---- ASA.
On edge router you can perform PAT to router's inside interface for traffic incoming on port udp/500 and UDP/4500 (you might need to add exceptions for your static L2L). It's dirty, I would not say it's recommended, but apparently it was working.
On routers this sort of situation is easily remedied by using VRF-lite with crypto.