Cisco Support Community
Community Member

Dual ISP VPNs, but only one for surfing

Hi all,

as of now I have one slow internet line that's used for either internet surfing and VPNs, as per the following:


I've bought a faster line, and I'd want to use it for some VPN (those that are under my complete control) and for internet surfing (=web, email and so on), while leaving the slow line only for some VPNs but no internet surfing.

MyFW is a Cisco ASA 5510. Is it possible such a configuration, assuming that ISPs are different, so there's no BGP, and the VPNs are site-to-site, so those set up for MyPublicIP1 if this line is down simply won't work, i.e. something like this:


Thanks and ciao


If I understand you correctly

If I understand you correctly this is what you are trying to do: some VPNs and internet traffics need to use ISP2 and the some VPNs need to use ISP1. 

If that is the case, then you need to have two different site to site VPNs and two routes. Direct traffic to internet using default route to ISP2 and also define the routes for VPN traffics accordingly to ISP1 and ISP2.



Community Member

Yes, you understand correctly

Yes, you understand correctly, but how can I tell to the firewall: for the VPNs go thru public IP 1, for internet go thru public IP 2??

In other words, have I do something like:

interface Ethernet0/0
 nameif outsideint
 security-level 0
 ip address theoneforvpnandinternet
interface Ethernet0/1
 nameif outsidevpn
 security-level 0
 ip address theoneforvpnonly


route publicIP2

nat (inside,outsideint) dynamic interface

nat (inside,outsideint) source static myLANObjs myLANObjs destination static remoteLANX remoteLANX no-proxy-arp route-lookup
nat (inside,outsidevpn) source static myLANObjs myLANObjs destination static remoteLANY remoteLANY no-proxy-arp route-lookup


I just realized that the

I just realized that the source IP is only one source. I was thinking that the source will be different. What I had in mind was route from source vpn range A go to ISP1 and source vpn range B go to ISP2.

One thing that I can think of is by using only one router instead of two in front of the ASA. On that router which is connected to both ISPs on different physical interfaces, you can use route map to filter and specify the next hop based on the destination address of the packet (assuming you have different destination addresses).

CreatePlease to create content