Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
8
Replies

Dual Default Route Cisco ASA for Remote Access VPN Scenario

fatalXerror
Level 5
Level 5

‎06-20-2018 04:47 AM - edited ‎03-12-2019 05:23 AM

hi, is it possible to have 2 separate interfaces as the outside interface and these 2 interfaces can receive and process remote-access VPN?

For example, outside1 will be for remote-access VPN group A and the outside2 will be for remote-access VPN group B?

Thanks

 

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎06-20-2018 05:37 AM

Yes, that will work. You need two DNS-names for both public ASA IPs and a certificate with both names or two certificates. You enable webvpn on both interfaces and some of your users have to connect to the first fqdn, the other users to the second fqdn.

0 Helpful

fatalXerror
Level 5
Level 5
In response to Karsten Iwen

‎06-20-2018 07:19 PM

Hi Karsten,

thanks for the feedback, but how about the default route because what I know ASA cannot have 2 default routes. If the user connects to outsideA the return will be using defaultA and what if the user connect to outsideB, does it use defaultA or its own defaultB?

Thanks.

0 Helpful

Karsten Iwen
VIP
VIP
In response to fatalXerror

‎06-21-2018 12:11 AM

You have your default route to your primary ISP and a second default route with a higher AD to the secondary ISP. The ASA will return the traffic through the interface where the traffic arrived. Also make sure that you have not enabled spoofing-protection (unicast reverse path forwarding) on the outside interfaces.

0 Helpful

fatalXerror
Level 5
Level 5
In response to Karsten Iwen

‎06-21-2018 09:46 PM

Hi Karsten,

Thanks again for the help. 

Sorry but I forgot to tell, this 2 outside interface should be both active.

You stated this,

"The ASA will return the traffic through the interface where the traffic arrived." will this mean even if the interface is acting as standby it can receive traffic and goes out to that traffic for RAVPN scenario?

Thanks

0 Helpful

Karsten Iwen
VIP
VIP
In response to fatalXerror

‎06-21-2018 11:35 PM

That's correct, you can use both outside connections at the same time.

0 Helpful

fatalXerror
Level 5
Level 5
In response to Karsten Iwen

‎06-22-2018 12:29 AM

Hi Karsten,

Thanks for the fast feedback, I am getting much clearer picture now.

One last thing, if I can use both outside interface as the RAVPN termination point, in the event that the endpoint has been successfully connected to the VPN. What will happen if the client goes to access the internet, will it use the current default route which pointing to the outside1 interface?

Thanks

0 Helpful

Karsten Iwen
VIP
VIP
In response to fatalXerror

‎06-22-2018 12:35 AM

Yes, this traffic follows the "normal" routed way. Make sure you have nat for that communication.

0 Helpful

fatalXerror
Level 5
Level 5
In response to Karsten Iwen

‎06-24-2018 07:25 PM

Hi Karsten,

Just to check also with you, does the multi-context mode can support RAVPN with hostscan?

Thanks

0 Helpful
Customers Also Viewed These Support Documents