ASA5510 configuration question.

Hi all,

Please help me to understand the abilities of the ASA5510.

I have a client who wishes to do the following with an ASA5510.
(and tells me it has already been done but was wiped out without backup)

Two static PPPOE DSL's in bridge mode w8 ext/ip's each
Single LAN subnet

ip6-1 site-site vpn (to a single off-site office)
ip7-1 client-access vpn (for 6 roaming users)

ip6-2 site-site vpn (to a single off-site office)
ip7-2 client-access vpn (for 6 roaming users)

ASA is currently running asa8.4(1)  w/asdm6.4(1)

Is this possible or for that matter even wise to do with a single ASA?

Would appreciate some configuration examples or better/more manageable solution ideas.

I realize I'm asking a lot, and I have no problems with starting new questions for each topic that spawns from this if needed.

Thank you in advance

LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
If I'm understanding you correctly, you want your two ASAs to act as a failover pair.  That's no problem, and let's ignore the second ISP for the moment.  What you really want to to is a single outside interface and use static NAT to translate the inside addresses of the different services (HTTP, FTP, etc.) to addresses that are in the outside subnet.  You don't want to use separate physical interfaces for these functions, and the ASA will not let you assign addresses from the same block to different interfaces.  The ASA configuration guide has lots of information on how to configure static NAT, but a basic command that will translate an external address of to an internal address of looks like:

static (inside,outside) netmask

For the second ISP connection, you will .  The ASA can have connections to two ISPs but you won't effectively be able to use both of them at the same time.  Load balancing or load sharing is not supported on the ASA.  See for a configuration example.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zoofanAuthor Commented:
Hi jm,

static (inside,outside) netmask <- has been depreciated and no longer a valid NAT command for asa 8.3 and above as far as I can tell.
I googled and found the replacement.

However I did:
e0/0 no ip connected to dsl modem
e0/1 lan ip connected to lan

add a static nat's for
ext-ip1 <----> int-s01
ext-ip2 <----> int-s02
ext-ip3 <----> int-s03
ext-ip4 <----> int-s04
ext-ip5 <----> int-s05
and added access-list rules for appropriate ports and traffic.

This seemed to be working ok.  So I then assigned ext-ip6 to e0/2 and connected it to the dsl modem
Configured a anyconnect client-access vpn to this interface.
Connected and that worked.

Is it possible to also have a site-site with all this as well?
As the VPN requires a ip assigned to an interface, and the ASA will not allow two ips on the same subnet on different interfaces.... any thoughts?


zoofanAuthor Commented:
Any idea if I can have two vpn's (client/site) tied to the same int/ip and connected at the same time?


zoofanAuthor Commented:
Got that too!! It will allow two vpn's to the same interface  thank you for your help.

zoofanAuthor Commented:
Thank you for the nudge in the right direction!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.