I have firewall ASA 5510. Currently I am having 2 Mbps Internet link. Everything is working fine but one of the branch users where we are having site to site connection is complaining about the slowness. So we have decided to arrange one more Internet Link which we will only use for that branch site to site VPN connectivity.
I want to configure my firewall in that way that when subnet
Head office subnet: 192.168.80.0
Branch office : 192.168.17.0
wants to reach other other their VPN traffic should go to the second 1 Mbps link. I dont want to have any load balancing or any failover.
I just want to configure firewall for site to site VPN in a way that when subnet (192.168.80.0) wants to reach particular destination (192.168.70.0). It should go to the second Internet Link and other traffic for remote access VPN and other site to site tunnels should use the 2 Mbps link.
Well, your going to need to configure an interface on the ASA to have that 2nd internet connection. Then, you would configure the peer at the remote side to point to the public IP address of the 2nd interface on the ASA5510. After that, you'd need to configure the vpn portion. Ive never tried this but I believe it will work so:
Main Office ASA
description P2P VPN Interface
security-level 1 (you could make this 0 as well but it depends on the code version)
ip address public.ip.address.ofnewconnection 255.255.255.x
Add the access-list to bypass nat (You probably already have this in your firewall but just in case from your other vpn stuff)
access-list bypassnat extended permit ip 192.168.80.0 255.255.255.0 192.168.17.0 255.255.255.0
Add the access-list to identify that vpn traffic (you already have this as well probably)
access-list remotesitevpn extended permit ip 192.168.80.0 255.255.255.0 192.168.17.0 255.255.255.0
apply the nat bypass
nat (inside) 0 access-list bypassnat (this is probably already there)
Ah, I see. Sorry for the misunderstanding. What you want is policy based routing (PBR). Unfortunately, I do not believe that is available yet for the ASA. I saw somewhere that it was on the road map, but who knows...You might look at doing some QoS for the site to site VPN (which is available), or you can purchase a router to do the PBR for you. I think you could trick the ASA by using static entries and then having 2 routes but that would probably send all vpn traffic from a certain host out the 2nd connection. I'd probably try the QoS first and see what they say.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...