what I did was route 0.0.0.0 0.0.0.0 ISP2 next-hop (which I had a metric of 2 ) as it would be people conecting via cisco VPN client
But when would that ever get used because your other default-route would take precedence. How would the ASA know that you wanted to use a different default-route when the VPN clients connected ?
To override the default-route you will have to use host specific routes for VPN clients or subnet specific routes but that is going to be difficult because your VPN clients could connect from anywhere with any IP presumably ?
yes thats right, and this is where I have reached a dead end or not quite understanding what needs to be done
Okay, unfortunately you don't have many options. If it was non-VPN traffic you could use multiple context on your ASA and have 2 virtual firewalls but multiple context does not support VPN. And the ASA does not support PBR so that is ruled out as well.
Unless you can tie down the internet source IP addresses of the VPN clients so you can add routes you can't make this work with one ASA. You would need a 2nd independant ASA for the VPN traffic.
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
The remote side will try connect to your VPN thru your 2nd ISP ok
BUT the default route to responde its thru the 1st ISP ok
What is going to happen is that your remote will go nuts because its going thru one destination and getting a replay to an different host because in the route table its going to prefer the host with a better "cost"
What do you do to FIX IT
You got to add an specific route for that connection lets say
That way your ASA will prefer to respond thru your 2nd ISP because it has a more specific route !
Understand that you never will be able to balance them, just because the appliance don't run BGP but if you have a router before you can run BGP w/ the ISP ( of course you need an AS ) and then run OSPF w/ the router having the both interfaces with equal cost and it'll get balanced
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :