I wanted to move my 30 site-to-site VPNs to another WAN circuit. I configured a second interface on the asa5510 for my other wan circuit and re-created my test VPN profile for the second interface. On the remote side is an asa5505. I can ping from the remote side to a host behind the 5510. I can see the ping requests and replys on the host and in the 5510 log it appears they are going out but I never see them on the remote side. The default route is the original interface, and there are 30 or so active VPNs there. I created a second static route out the second interface to the 5505's IP. Not sure if that was needed but it made sense. Anyone have an idea how to troubleshoot this? Or is it even possible?
(I am assuming second interface is from another Internet Provider)
Well you need to take help of static routes in this case. Since original interface is having default route attached to it, all the traffic would go through that interface only. But in case if you want one tunnel to terminate on the second interface you created, you can fire static route for the peer of that VPN with the next hop of the router which is connected to second interface. For example:
Interface 2 on ASA: 10.10.10.10
Router connected to Interface 2: 10.10.10.11
Site to Site VPN Peer: 188.8.131.52 (You want to move this peer to second interface)
Make a static route on ASA:
route (your second interface name) 184.108.40.206 255.255.255.255 10.10.10.11
And so on for every Peer you can make a static route and on those Peers you can define this Interface IP (10.10.10.10) as Peer
The rest of the configuration would be same I think. Cheers.
Thanks for your suggestion. This had already occured to me and it's what got the IPsec to establish the tunnel. What happens is I ping from hostB on the remote side subnetB, I see the packets come in to hostA across the tunnel. The hostA sends replys, and the ASA on subnetA builds the outbound connection, but the packets never reach hostB.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :