ASA 5510 multiple VPN tunnels via different interfaces
Is it possible to create VPN tunnels out more than one interface of an ASA (specifically 5510 with 8.4) , or am I trying to do the impossible?
We have 2 public interfaces on our ASA connected to 2 different ISPs.
We have working L2L tunnels from the ASA to remote offices via the interface that is our "primary" ISP and also used as our default gateway for internet traffic.
We are trying to move one remote office to use our secondary connection for its tunnel (high-traffic office that we would prefer to separate away from the rest of our internet and VPN traffic).
I can create the tunnel with appropriate ACL for tunnel traffic, crypto map, etc., set up a static route to force the ASA to use the secondary interface for traffic destined to the public IP of the remote gateway, and when I'm done, traffic initiated by the remote site will cause the tunnel to negotiate and come up - I can see the tunnel in show crypto ikev1 sa as L2L responder MM_ACTIVE, show ipsec sa with correct destination and correct local/remote identities for interesting traffic, but the local ASA never tries to send traffic out the tunnel. If I use packet tracer, it never shows a VPN involved in traffic from main office to the remote office as if the ASA isn't seeing this as matching traffic for the VPN tunnel.
If I take the exact same access-list and crypo map statements and change them to use the primary ISP's connection (and, of course, change the IP the remote field office is connecting to), then the connection works as expected.
What am I missing?
Here's a sample of the VPN config: (PUBLIC_B is our second ISP link, 192.168.0.0/23 is MainOffice, 192.168.3.0/24 is FieldOffice)
crypto map PUBLIC_B_map 10 match address PUBLIC_B_map
crypto map PUBLIC_B_map 10 set peer x.x.x.x
crypto map PUBLIC_B_map 10 set ikev1 transform-set ESP-3DES-SHA
crypto map PUBLIC_B_map interface PUBLIC_B
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
route PUBLIC_B x.x.x.32 255.255.255.224 y.y.y.y 1
If I take this exact same config and change it to use PUBLIC (our main connection) instead of PUBLIC_B,remove the route PUBLIC_B statement, and change the field office to point to PUBLIC's ip address, then everything works, so my access-list and crypto map statements should be correct.
What I don't understand is why the main office ASA doesn't seem to recognize interesting traffic for the tunnel when the tunnel is destined out the second ISP connection, but does work when it is destined out the main ISP. There is no connectivity issue with ISP B - as mentioned before, the tunnel will come up and negotiate correctly when traffic is initiated from the field office, but the main office traffic is never sent back down the tunnel - it is as if the ASA doesn't think the traffic from 192.168.0.x to 192.168.3.x should go over the VPN.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :