06-20-2018 04:47 AM - edited 03-12-2019 05:23 AM
hi, is it possible to have 2 separate interfaces as the outside interface and these 2 interfaces can receive and process remote-access VPN?
For example, outside1 will be for remote-access VPN group A and the outside2 will be for remote-access VPN group B?
Thanks
06-20-2018 05:37 AM
Yes, that will work. You need two DNS-names for both public ASA IPs and a certificate with both names or two certificates. You enable webvpn on both interfaces and some of your users have to connect to the first fqdn, the other users to the second fqdn.
06-20-2018 07:19 PM
Hi Karsten,
thanks for the feedback, but how about the default route because what I know ASA cannot have 2 default routes. If the user connects to outsideA the return will be using defaultA and what if the user connect to outsideB, does it use defaultA or its own defaultB?
Thanks.
06-21-2018 12:11 AM
You have your default route to your primary ISP and a second default route with a higher AD to the secondary ISP. The ASA will return the traffic through the interface where the traffic arrived. Also make sure that you have not enabled spoofing-protection (unicast reverse path forwarding) on the outside interfaces.
06-21-2018 09:46 PM
Hi Karsten,
Thanks again for the help.
Sorry but I forgot to tell, this 2 outside interface should be both active.
You stated this,
"The ASA will return the traffic through the interface where the traffic arrived." will this mean even if the interface is acting as standby it can receive traffic and goes out to that traffic for RAVPN scenario?
Thanks
06-21-2018 11:35 PM
That's correct, you can use both outside connections at the same time.
06-22-2018 12:29 AM
Hi Karsten,
Thanks for the fast feedback, I am getting much clearer picture now.
One last thing, if I can use both outside interface as the RAVPN termination point, in the event that the endpoint has been successfully connected to the VPN. What will happen if the client goes to access the internet, will it use the current default route which pointing to the outside1 interface?
Thanks
06-22-2018 12:35 AM
Yes, this traffic follows the "normal" routed way. Make sure you have nat for that communication.
06-24-2018 07:25 PM
Hi Karsten,
Just to check also with you, does the multi-context mode can support RAVPN with hostscan?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide