Link to home
Start Free TrialLog in
Avatar of ronnie_urbanit
ronnie_urbanit

asked on

Cisco ASA 5510

I have a Cisco ASA 5510, that has 4 Interfaces + the Management Interface.

I have for business reasons 5 VLAN's

Originally they were configured like this

Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
Ethernet 3  - A Switch --- WWW50 VLAN & Webserver/DMZ VLAN

The outside Interface has 80 VPN tunnels configured, which are on an old 2MB line along with the Internet connectivity for the site. The VPN's are used only for SQL replication so the 2MB line is sufficient, but the Internet Access at the site is slow.

The WWW50 VLAN is used to connect to 4 sites via a VPN and I would like to use this for Internet Access as well, since this is a 50MB line. The Router on this network is a BT managed Router, so I cannot put any routing on this device or modify it's Config.

I Moved the Webserver to the Management Interface of the ASA and this works fine, I then moved the WWW50 line to Interface 3, so the the ASA connects directly to the router, and Modified the route 0.0.0.0 0.0.0.0 111.111.111.111 (where 111. is the IP addres of the managed router on the 50MB line) This then gave the site a 50MB connection to the Internet.

Here is the new setup


Outside Interface - Ethernet 0
LAN - Ethernet 1
LAN 2 - Ethernet 2
WWW50  - Ethernet 3
Webserver/DMZ - Management

Since doing this all of the VPN tunnels have dropped out completely, the ones that were on the Outside Interface and the ones on the Oldwww50 Interface. In the ASDM I can the Interface that the VPN tunnels are configured on, they all say www50, if I delete the www50 Interface they all revert to the Interface "Outside" but the tunnels still don't work correctly .

Can anyone advise how I can get the VPN tunnels to work correctly ?
Screen-Shot-2013-01-25-at-10.53..png
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Could you post a sanitized for us to have a look at?
I assume your VPNs were broken because you changed your default route..
Has the external IP changed since you moved to the www50 interface? if so, has this been updated on the branch office firewall/routers?
Avatar of ronnie_urbanit
ronnie_urbanit

ASKER

Hi MAG03

There are 2 groups of VPN connections, 1 is set to the outside Interface, I would like this set of 80 or so VPN's to stay on the outside Interface

The  second group of VPN's in already on the WWW50 Interface.


Erniebeek  I will cleanse the config (and remove some of the VPN's there is no need for all 80 or so to be in there) and post it here shortly
so you have 80 vpns on the "outside" interface and about 4 on the WWW50 interface?  do you have static routes for the 80 VPNs pointing out the outside interface?  I think you might be running into an asynchonous routing issue, since you have set the default route out www50 interface while the remote sites see the VPN peer address on another interface.

try setting static routes for some of the VPNs and see if they come up.
So I will need 80 static routes send the traffic to the Outside Interface, what about the 4 VPN's on the www50 interface that do not come up either.

I have attached the cleansed config
Cleansed-Config.txt
You said you set the default route next hop to the router IP address? But the router is connected to interface Ethernet 0/3? Yet your default route points out the outside interface.  This will need to be changed.  this should bring up the VPNs on the www50 interface.

route outside 0.0.0.0 0.0.0.0 15.15.15.15 1
ASKER CERTIFIED SOLUTION
Avatar of ronnie_urbanit
ronnie_urbanit

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Original config worked