I have an ASA 5510 with 3 interfaces: inside, outside_cable, dmz
The cable has been down or slow a lot recently. This isn't so bad for my internal users, but for those connecting to the office via VPN it's a bummer, so I brought a FIOS line in with 1 static IP.
I would like to set a 4th interface (outside_fios) and use it ONLY for accepting VPN connections from AnyConnect.
I set the FIOS router (provided by Verizon) as a bridge and set the public IP address provided by Verizon on the 4th interface of my ASA. I also set the AnyConnect profiles to use either the outside_cable OR the outside_fios interfaces.
Needless to say, I'm missing something, which is why I'm posting, because when I try to connect using AnyConnect to the FIOS IP the connection fails. I see nothing in the ASA log and the AnyConnect client simply sais that the connection attempt has timed out - please verify internet connectivity (which I definitely have).
I have read some articles about licensing -- base vs. security plus -- and how that may be why this isn't working, but I'm not sure if that is correct. I have the base license, by the way.
Additionally - I have no routing set up for this interface because I'm not sure how to do it. The only routing that's happening right now in the ASA is the default route -- routing everything out the outside_cable interface.
I personally always handle Dual ISP routing scenarios with a Cisco router rather than the ASA.
I am not sure how the ASA handles the secondary ISP in this situation. To my understanding usually when the connections are coming from the secondary ISP the ASA should handle the connections correctly but initiating the connections from behind the ASA to the secondary ISP is usually the problem.
You might want to start trying to first configure a default route for the secondary ISP also.
You currently probably have this
route outside_cable 0.0.0.0 0.0.0.0 x.x.x.x 1
You could add
route outside_fios 0.0.0.0 0.0.0.0 x.x.x.x 254
Notice the different metric at th end. Since the original one has the metric of "1", it will stay in use. I use the value "254" simply to have a completely different value to the "1" but it could be "2" for example.
Maybe you could add this route first and try again.
If that doesnt work, I might have to test this out myself just to learn something new. But as I said, I dont have to do this in my work as we handle Dual ISP on routers and never on ASAs themselves.
Thanks! I have added the 2nd default route, but it has not fixed the problem.
I also realized that I had no access rules set up for this interface, so I just added allowing ssh and https and ICMP.
I also checked to make sure the FIOS router was bridging properly by connecting my laptop to it and assigning my laptop to the public IP provided by Verizon. That worked fine -- I was able to access the internet and ping my laptop successfully from a different network.
I am trying to ping the public IP address (which is the address of the interface on the ASA) and I'm getting request timed out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :