Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 508
  • Last Modified:

ASA5520 with 02 internet connection

Hi bro,

            route vpn 0.0.0.0 0.0.0.0 x.x.x.x 2
                                02. VPN Client---------    ASA--------------Inside Network
                                                                             |
                                                                             |
                                                   route vpn 0.0.0.0 0.0.0.0 x.x.x.x 1
                                                         01. Internet connection

I have 02 internet connections and I want the using first connection for Internet and the second connection for VPN client. I already configure the first connection connect to Internet from inside network.

The second connection if add the command route vpn 0.0.0.0 0.0.0.0 x.x.x.x 2 and do VPN Client from outside, ASA response with log bellow:
      Routing failed to locate next hop for UDP from NP Identity.

Can you please show me how to configure the ASA only answer the IPSEC VPN on the vpn interface only?

Thank you very much for you help!
0
twinq
Asked:
twinq
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
You cant do that. You cant have two default routes active at the same time. When you do what you describe you have only one default route active, the one with lowest metric. The second one (with a "2" at the end is not active until the first one is removed or invalid.

/Kvistofta
0
 
twinqAuthor Commented:
Do you have any solution to accept connection from VPN Client while the default route still active?
0
 
SIM50Commented:
I had a similar situation with two different ISP's coming into one ASA. I was able to use 2nd interface by putting static routes for each VPN client while using 1st interface for all other traffic.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
twinqAuthor Commented:
Hi SIM50,

Thanks for your reply!

But I want to use dynamic route for second interface. Because, for each vpnclient for each time connect to ASA they not using static IP (they are using ADSL connection).

I already try using static IP before post this question to this website. :D

I hope someone have solution for this case.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
twinq: You cannot do that, there is no solution to this with your given input.

If you have one static default route pointing to your first ISP gateway there is no dynamic way for the ASA to learn to route traffic to vpn-clients via the secondary ISP. See my first comment on this.

/Kvistofta
0
 
be_rootCommented:
Hi, its bad design chose to use FW as ISP edge connection. In my case, im using 2 3845 as BGP ASBR  in to 2 different ISP, and i have 2 WAN modules its "Remote Access" & "VPN" on Cisco ASA 5540 support. I have 2 static routes in my different DMZ zones, that redistributed back in to my BGP AS. It you need help in this solution, I can help with all question.
WBR Antony Seqoya.
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now