Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA VPN question

I'm getting ready to move our VPN connections from the VPN Concentrator to our ASA which is also our internet firewall. My question is, does it make sense to connect one of the ASA's unused ports to the DMZ and use that as the VPN port or just configure VPN to come in to the outside interface (which is already plugged in to the DMZ anyway)? My thought was to plug in a new port with a new IP to keep VPN traffic seperate from other internet traffic.


Re: ASA VPN question

this is depends if u have another ISP connection !

if u have two ISPs u can make two interfaces and give vpn users the secondary ISP public IP and use the primary one for outbound internet traffic

but if u have only one interface with one ISP

u must use only ur outside interface

good luck

if helpful Rate


Re: ASA VPN question


Have you ever implemented this in a production

environment and that it works without any

glitches? I am interested to know.

Re: ASA VPN question

hi david

the idea is

lets say u have two ISPs connections

we know with ASA we cant do loadbalancing but we can make links work in primary and backup manaer

u can u se ISP1 as the exit point for outbound traffic throut for example

route outside 0 0 [ISP1]

route outside2 0 0 [ISP] [higher metric]

now ISP1 prefered

if goes down ISP2 will be used

for load sharing u can but not must

give the VPN users the public IP address of the link with ISP2

in the case lets say both ISP links operational then outbound traffic will be through ISP1 and VPN through ISP2

which is good

but if u have one link i mean one exit point to the internet you wont be able to impliment it

the link for ASA with two ISPs:

good luck

if helpful Rate


Re: ASA VPN question

I am very well aware of this. But the question

he asked is that he want to separate VPN users

traffics from other Internet traffics. By that,

I assume he means "inbound" traffics.

In other words, he want "inbound" internet

traffics to use the primary link while the VPN

users will be using secondary link for

"inbound"' VPN traffics?

I just dont see how that is possible.

The link you described is for outbound

traffics. VPN traffics is inbound.

Re: ASA VPN question

the link is the half way

the link let u configure the redandunt links

then u need to setup the vpn and use the secondary interface for the vpn and give the vpn client the secondary public ip address in this case the vpn inbound and communication will be through the secondary ISP (interface) while other traffic like outbound intternet will be normaly through the primary and if the primary gos down will be through the secondary

hope this time clear :)


Re: ASA VPN question

That goes back to the question I had before.

Have you implemented this in a production

network and that it works without any glitches?

I am very skeptical of these configurations and

that I am sure there are lot of caveats that

will come with this.

Re: ASA VPN question


Community Member

Re: ASA VPN question

Well my question actually was to seperate only VPN traffic to a different interface. I have a /24 block of IPs from our ISP, so this second interface would still go through the same ISP but have a differnet IP address. Then I'd set up DNS to point to that IP for VPN only. All outbound internet trafffic (and other inbound traffic like mail) would still go through the other primary interface.

CreatePlease to create content