is it possible to have the ASA connected to two ISP's and use the one ISP connection for Client/S2S VPN and Internet Access and the second ISP connection just for the WebVPN Traffic? How would you manage the Routing, as the default route is pointing to the first connection or is that not an issue here?
This would work without any kind of issues. It is always confusing to some people because they think that ASA needs to route a packet. However the fact is that in case of TCP traffic ASA will respond back on the same interface without doing a route lookup.
The same logic applies to Anyconnect also. If you want to use anyconnect on a seperate interface other than the default route interface, it will also work. But IPSec VPN client won't work because the first connection of IPSec client uses UDP packets instead of TCP.
So in a nutshell, just enable webvpn on your secondary interface and you will be good to go...you don't need to worry about any kind of routing at all.
okay, I have tried just enabling WebVPN on the new interface, but then I am not able to reach the WebVPN portal, as soon as I set a route for example for just one external IP address on the ISP for WebVPN I am able to reach it from that single IP.
Maybe I have the possibility to work with static routes just like that, as the WebVPN was planed to be used to grant access for an dependent company.
@Shikhar, but if there is a Software Version that can handle this without the need for static routes it would be great if you could let us know
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...