Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5585 with dual uplinks

Hi all,

I have a firewall cluster with two ASA 5585X. it's currently running with single uplink (Untrust). I have attched a draft diagram with this.

site to site (L2L) VPNs peering with untrust interface but Remote access VPN clients connections terminated to a device which is connected to DMZ.

So i need to shift these  remote access VPN users termination point from DMZ to new interface which has planned to attched as new interface which is connect to the ISP. Please see th diagram.

So I need to connect only RA VPN clients through Rremote VPN interface.

If someone please tell me is this posible ? or otherwise how can i acheive this..

There are no dynamic routings. only used static routes. Default route performed through " Untrust Interface ".

Diagram1.jpg

Everyone's tags (2)
2 REPLIES
VIP Green

ASA 5585 with dual uplinks

So your remote users currently connect to the VPN via 203.189.x.x and you want to move them to a different interface?  Does this new interface connect directly to the internet?

If this is the case then this is not possible because you would need a default route on your ASA to reach all the remote access clients.  Since the ASA only supports one active default route you are limited to use the interface that connects to the internet.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Hi Marius, Thank you for your

Hi Marius, 

Thank you for your comment.

I have tried with add additional default route with AD 200, towards Remote VPN interface. I did this for just trial and error method. But it works...  

existing Default route : - route Untrust 0.0.0.0 0.0.0.0 203.189.X.X1 1

What I've added : - route Remote 0.0.0.0 0.0.0.0 203.189.Z.Z1 200

After running packet capture wizard. it's confirmed that traffic passed out same interface where traffic came in.

still i'm searching how it's work.(technically )

How ever, end of the day it has worked. :-)

 

 

149
Views
0
Helpful
2
Replies