Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can I re-route internet traffic for site-to-site VPNs terminating on one ASA out through a different ASA?

This may sound like a strange thing to want to do in the first place but please bear with me!  Here is the scenario:

I have an ASA (ASA A) in my datacentre connected to ISP A.  I have a number of remote sites (also connected to ISP A) and with IPSEC VPN connections to the datacentre terminating on ASA A.  At the moment, the remote sites are configured to split-tunnel i.e. datacentre traffic sent through the IPSEC VPN tunnel, internet traffic sent direct to the internet through each site's individual ADSL connection (via ISP A)

I also have another ASA (ASA B) in my datacentre connected to ISP B.  Is it possible for me to reroute internet traffic from these remote sites (or at least traffic to a few specific internet addresses) out through ASA B and the connection to ISP B?  If so, how can this be achieved?

 Remote Site 1 Subnet

 Datacentre Inside Subnet
 ASA A - Inside
 ASA B - Inside

 Internet Site 1 -
 Internet Site 2 -

I've tried the following at the Remote Site 1:

Defined interesting traffic for VPN tunnel to include traffic to the internet sites i.e.:

ip access-list extended dc-vpn
permit ip
permit ip host
permit ip host

Configured "no-nat" ACL on Remote site router NOT to NAT traffic to these internet sites (because instead it will be NAT'd when it goes out through ASA B's internet connection)

ip access-list extended no-nat
deny ip
deny ip host
deny ip host
permit ip any
(all other internet traffic "split-tunneled" and sent through site's ADSL internet connection)

route-map nonat permit 10
 match ip address no-nat
ip nat inside source route-map nonat interface Dialer0 overload

on ASA A, I set up a route statement to say those internet sites can be found via the "inside" and ASA B:

route inside 1
route inside 1

On ASA B, I set up a translation for traffic from the ASA A remote sites to get to the internet sites i.e. traffic from remote site 1 ( should be translated to the public IP for communications with the internet sites and

object network obj-remote-site1
object network obj-internet-trans
object network obj-internet-site1
object network obj-internet-site2
nat (outside,outside) source dynamic obj-remote-site1 obj-internet-trans destination static obj-internet-site1 obj-internet-site1
nat (outside,outside) source dynamic obj-remote-site1 obj-internet-trans destination static obj-internet-site2 obj-internet-site2


But this has not worked (as far as I can tell, the traffic to these internet sites is being sent by the remote site across the VPN tunnel to the datacentre but then goes no further i.e. it is not being sent out ASA B and the internet connection to ISP B)

I've included a diagram to help illustrate the set-up.

The reason I want to be able to do this is that we have had problems recently with ISP A's internet transit.  Our connectivity between DC and remote sites has remained up but they have had intermittent connectivity problems with the internet due to ISP A's internet transit problems.  I thought that a workaround might be to redirect the more critical internet traffic via the ASA connected to ISP B, which hasn't been suffering the same problems.

Can anyone advise a) if this is actually achievable and, if so, what I need to configure to achieve it?