Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 seperate ISP for WebVPN ?

Hello,

is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?

Greetings

Thomas

  • VPN
6 REPLIES
VIP Purple

ASA 5510 seperate ISP for WebVPN ?

Your remote-access sessions have to be used over the ISP where the default-route is used. You only can put your S2S-VPNs on the other ISP with the help of dedicated routes.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5510 seperate ISP for WebVPN ?

Hi Thomas,

This would work without any kind of issues. It is always confusing to some people because they think that ASA needs to route a packet. However the fact is that in case of TCP traffic ASA will respond back on the same interface without doing a route lookup.

The same logic applies to Anyconnect also. If you want to use anyconnect on a seperate interface other than the default route interface, it will also work. But IPSec VPN client won't work because the first connection of IPSec client uses UDP packets instead of TCP.

So in a nutshell, just enable webvpn on your secondary interface and you will be good to go...you don't need to worry about any kind of routing at all.

Shikhar Sharma

CCIE Security # 29741

Cisco TAC - VPN Team

VIP Purple

ASA 5510 seperate ISP for WebVPN ?

Hi Shikhar,

since which version is that supported? I'm not aware at all that the ASA is capable of that and it didn't work for me when I testet it to fing that out (but these tests were not with recent versions).

regards, Karsten

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5510 seperate ISP for WebVPN ?

Hello Karsten, Hello Shikhar,

thanks for your responds! My ASA is running 8.2(5) so not the latest version eather ;-) but I will give it a try and let you know if it works.

regards, Thomas

New Member

ASA 5510 seperate ISP for WebVPN ?

Hello again,

okay, I have tried just enabling WebVPN on the new interface, but then I am not able to reach the WebVPN portal, as soon as I set a route for example for just one external IP address on the ISP for WebVPN I am able to reach it from that single IP.

Maybe I have the possibility to work with static routes just like that, as the WebVPN was planed to be used to grant access for an dependent company.

@Shikhar, but if there is a Software Version that can handle this without the need for static routes it would be great if you could let us know

regards, Thomas

Re:ASA 5510 seperate ISP for WebVPN ?

Hi,

No need for dedicated routes, the ASA keeps track of the specific TCP session on the specific interface where the WebVPN session is established.

Please keep us posted.

Thanx

Portu

Sent from Cisco Technical Support Android App

346
Views
0
Helpful
6
Replies
This widget could not be displayed.