cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
0
Helpful
3
Replies

Dual ISP VPNs, but only one for surfing

sandman42
Level 1
Level 1

Hi all,

as of now I have one slow internet line that's used for either internet surfing and VPNs, as per the following:

 

I've bought a faster line, and I'd want to use it for some VPN (those that are under my complete control) and for internet surfing (=web, email and so on), while leaving the slow line only for some VPNs but no internet surfing.

MyFW is a Cisco ASA 5510. Is it possible such a configuration, assuming that ISPs are different, so there's no BGP, and the VPNs are site-to-site, so those set up for MyPublicIP1 if this line is down simply won't work, i.e. something like this:

 

Thanks and ciao

3 Replies 3

Rudy Sanjoko
Level 4
Level 4

If I understand you correctly this is what you are trying to do: some VPNs and internet traffics need to use ISP2 and the some VPNs need to use ISP1. 

If that is the case, then you need to have two different site to site VPNs and two routes. Direct traffic to internet using default route to ISP2 and also define the routes for VPN traffics accordingly to ISP1 and ISP2.

HTH,-

 

sandman42
Level 1
Level 1

Yes, you understand correctly, but how can I tell to the firewall: for the VPNs go thru public IP 1, for internet go thru public IP 2??

In other words, have I do something like:

interface Ethernet0/0
 nameif outsideint
 security-level 0
 ip address theoneforvpnandinternet
!
interface Ethernet0/1
 nameif outsidevpn
 security-level 0
 ip address theoneforvpnonly
!


[...]

route 0.0.0.0 0.0.0.0 publicIP2

nat (inside,outsideint) dynamic interface

nat (inside,outsideint) source static myLANObjs myLANObjs destination static remoteLANX remoteLANX no-proxy-arp route-lookup
nat (inside,outsidevpn) source static myLANObjs myLANObjs destination static remoteLANY remoteLANY no-proxy-arp route-lookup

Ciao

I just realized that the source IP is only one source. I was thinking that the source will be different. What I had in mind was route from source vpn range A go to ISP1 and source vpn range B go to ISP2.

One thing that I can think of is by using only one router instead of two in front of the ASA. On that router which is connected to both ISPs on different physical interfaces, you can use route map to filter and specify the next hop based on the destination address of the packet (assuming you have different destination addresses).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: