Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

[5510] IPSec on outside and DMZ interfaces

Hi all,

I have a little question on IPSec on ASA5510.

I want to have a L2L tunnel IPSec on both outside and DMZ interfaces with only two networks.

The VPN on the DMZ interface will be the backup of the outside.

You can see the network diagram in attachment.

Both tunnel seems to mount correctly (one at a time) but with my DMZ interface, I have not connection.

Is there an issue to solve my problem ?

Thanks a lot,


Cisco Employee

Re: [5510] IPSec on outside and DMZ interfaces

You can have tunnels on two interfaces, but you have to make sure your routing is set up to send traffic out that interface.

If you only want it as a backup, then you need to do something like IP SLA monitoring with route tracking, so when the monitor fails over one link, the route will fail over to the second link.

Similar to this link:

PS. If you found this response helpful, please rate it.

New Member

Re: [5510] IPSec on outside and DMZ interfaces

Hi, thanks for your reply.

In fact, I want to have both interface : Outside & DMZ.

The outside interface will only use to nat the inside to Internet and the DMZ will have the VPN.

If my ISP on DMZ failed, I want to have the VPN on my outside interface.

So sla don't answer to my problem ...

Routing seems to cause problem between the two interfaces (dmz, outside) with the same range (the inside).

Finally, i think it's not possible ... but if you have a solution ! ...

Cisco Employee

Re: [5510] IPSec on outside and DMZ interfaces


Looks like it will be difficult to get that working. You could use host routes with the route tracking for the VPN networks and the VPN peer IPs, where it prefers the DMZ interface, however, when it fails, the route is removed, and everything flows out the default interface. The problem with that however, is that the site you are connecting to will need to be set up to allow dynamic connections, with DPD enabled, so it detects when the original IP is unreachable.

This is definitely a tricky solution, but it could work.

CreatePlease to create content