Multi-purpose ASA - single public address for Internet, remote access VPN & site-to-site VPN?

cfan73 used Ask the Experts™
Scenario: small company with two locations - the main site has a 10-Mb fiber Internet connection, the other a 45-Mb DSL connection.  The sites will communicate via a site-to-site IPsec VPN, and remote clients will connect to the primary site using both IPsec and SSL VPN (hopefully).  I have a couple questions:

1) Since both of these sites have Ethernet hand-offs, and will not carry Internet routes, can I simply use a Cisco ASA at each (as opposed to an actual router, such as an ISR)?   If there's a reason why a real router might still be purposed in this environment, please advise.

2) At the primary site, can a single ASA (sized appropriately) be assigned a single public IP on the outside interface, and handle outbound Internet traffic, the site-to-site VPN, and both types of remote VPN clients?   Can one interface/IP be used for all of these things concurrently?

3) Lastly, if the primary site also had a DSL connection to the Internet, could the ASA be configured to automatically failover to this secondary connection if the primary fiber connection was lost?  (Not sure how this could be done w/o destroying all of the VPN connections)

Thank you, and links/references are always helpful!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The answer to all of the above is yes.  

1.  An ASA can route for most small businesses with no problems at all an replace the need for a router, it can't do policy based routing but for a smaller sized shop no worries there.

2.  A single IP can handle both types of VPN as VPN endpoints are usually terminated on the interface's IP it doesn't matter the block size, if you have a lot of web servers, and or PATs needed that will get a little crowded PATing a single address but otherwise it should work perfectly.

3.  Take a look at what is called IP SLA you can use this to automatically track routes based on conditions, such as ICMP echo Replys and remove the route from the routing table.  If you have questions on this let me know I can provide examples of this configuration.


Thank you for your response - couple follow-up questions, and I think we'll be done:

2) Just confirming again - you're saying that the single public IP can handle the two types of VPN's (actually three: site-to-site IPsec, remote IPsec and remote SSL VPN), yes?    PLUS, there's no problem in having normal Internet traffic traverse this single public IP?  (I guess I had concerns about how the ASA would distinguish the different types of incoming traffic (VPN/non-VPN, etc.)

3) Is IP SLA supported on the ASA's?  I haven't dug in, but have dealt w/ this feature before (to a degree), and thought it was just available for routers....  If it works, then yes, config examples from an ASA would be awesome!

Thanks again!!!
You can have all types of connection on the single IP, even with multiple IPs on an interface, the crypto maps are all bound to the interface IP.

And there isn't a problem having normal traffic use that IP, NATing is a concern if you need a lot of hosts to be mapped to ports, and if you go over the bandwidth for a single model but I don't think in this case it would be a concern.

and yes IP SLA is supported on the ASAs which was a shock to me too since IPbase on routers does not support this, but I have used it in multiple instances on ASAs.


Awesome - thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial