ASA5520 with 02 internet connection

Hi bro,

            route vpn x.x.x.x 2
                                02. VPN Client---------    ASA--------------Inside Network
                                                   route vpn x.x.x.x 1
                                                         01. Internet connection

I have 02 internet connections and I want the using first connection for Internet and the second connection for VPN client. I already configure the first connection connect to Internet from inside network.

The second connection if add the command route vpn x.x.x.x 2 and do VPN Client from outside, ASA response with log bellow:
      Routing failed to locate next hop for UDP from NP Identity.

Can you please show me how to configure the ASA only answer the IPSEC VPN on the vpn interface only?

Thank you very much for you help!
Who is Participating?
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
twinq: You cannot do that, there is no solution to this with your given input.

If you have one static default route pointing to your first ISP gateway there is no dynamic way for the ASA to learn to route traffic to vpn-clients via the secondary ISP. See my first comment on this.

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
You cant do that. You cant have two default routes active at the same time. When you do what you describe you have only one default route active, the one with lowest metric. The second one (with a "2" at the end is not active until the first one is removed or invalid.

twinqAuthor Commented:
Do you have any solution to accept connection from VPN Client while the default route still active?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

I had a similar situation with two different ISP's coming into one ASA. I was able to use 2nd interface by putting static routes for each VPN client while using 1st interface for all other traffic.
twinqAuthor Commented:
Hi SIM50,

Thanks for your reply!

But I want to use dynamic route for second interface. Because, for each vpnclient for each time connect to ASA they not using static IP (they are using ADSL connection).

I already try using static IP before post this question to this website. :D

I hope someone have solution for this case.
Hi, its bad design chose to use FW as ISP edge connection. In my case, im using 2 3845 as BGP ASBR  in to 2 different ISP, and i have 2 WAN modules its "Remote Access" & "VPN" on Cisco ASA 5540 support. I have 2 static routes in my different DMZ zones, that redistributed back in to my BGP AS. It you need help in this solution, I can help with all question.
WBR Antony Seqoya.
QlemoBatchelor and DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.