Solved

ASA5520 with 02 internet connection

Posted on 2010-09-20
8
501 Views
Last Modified: 2012-05-10
Hi bro,

            route vpn 0.0.0.0 0.0.0.0 x.x.x.x 2
                                02. VPN Client---------    ASA--------------Inside Network
                                                                             |
                                                                             |
                                                   route vpn 0.0.0.0 0.0.0.0 x.x.x.x 1
                                                         01. Internet connection

I have 02 internet connections and I want the using first connection for Internet and the second connection for VPN client. I already configure the first connection connect to Internet from inside network.

The second connection if add the command route vpn 0.0.0.0 0.0.0.0 x.x.x.x 2 and do VPN Client from outside, ASA response with log bellow:
      Routing failed to locate next hop for UDP from NP Identity.

Can you please show me how to configure the ASA only answer the IPSEC VPN on the vpn interface only?

Thank you very much for you help!
0
Comment
Question by:twinq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33715443
You cant do that. You cant have two default routes active at the same time. When you do what you describe you have only one default route active, the one with lowest metric. The second one (with a "2" at the end is not active until the first one is removed or invalid.

/Kvistofta
0
 

Author Comment

by:twinq
ID: 33722034
Do you have any solution to accept connection from VPN Client while the default route still active?
0
 
LVL 14

Expert Comment

by:SIM50
ID: 33744704
I had a similar situation with two different ISP's coming into one ASA. I was able to use 2nd interface by putting static routes for each VPN client while using 1st interface for all other traffic.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:twinq
ID: 33768034
Hi SIM50,

Thanks for your reply!

But I want to use dynamic route for second interface. Because, for each vpnclient for each time connect to ASA they not using static IP (they are using ADSL connection).

I already try using static IP before post this question to this website. :D

I hope someone have solution for this case.
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33768047
twinq: You cannot do that, there is no solution to this with your given input.

If you have one static default route pointing to your first ISP gateway there is no dynamic way for the ASA to learn to route traffic to vpn-clients via the secondary ISP. See my first comment on this.

/Kvistofta
0
 

Expert Comment

by:be_root
ID: 33955202
Hi, its bad design chose to use FW as ISP edge connection. In my case, im using 2 3845 as BGP ASBR  in to 2 different ISP, and i have 2 WAN modules its "Remote Access" & "VPN" on Cisco ASA 5540 support. I have 2 static routes in my different DMZ zones, that redistributed back in to my BGP AS. It you need help in this solution, I can help with all question.
WBR Antony Seqoya.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34459635
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question