cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
0
Helpful
1
Replies

Multiple interfaces for site-to-site VPN on ASA

JOEL SNIDER
Level 1
Level 1

Is it possible to segment site-to-site VPN traffic to different output interfaces on the ASA platform.  I would like to direct site-to-site VPNs from partners to a different interface than site-to-site VPNs from corporate sites.

1 Reply 1

jj27
Spotlight
Spotlight

On an ASA, you can only have one default route (0.0.0.0/32) going to a single interface, but you should be able to use the other interfaces for VPN connections.

For example:

Interface  outside1      IP Address: 1.2.3.4/24 with default gateway of 1.2.3.1/24

Interface  outside2      IP Address: 2.3.4.5/24 with default gateway of 2.3.4.1/24

You would have your normal default route of route outside1 0.0.0.0 0.0.0.0 1.2.3.1 and you would point your corporate VPN tunnels to the endpoint peer address of 1.2.3.4.

You would then have routes for your partner sites going out interface outside2.  For example, a partner with IP of 4.5.6.7 you would:  route outside2 4.5.6.7 255.255.255.255 2.3.4.1.

Point the partner VPN endpoints to build a tunnel to your external address of 2.3.4.5.

Make sense?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: