RE: Dual Internet w/ dedicated VPN Interface

Hey Ron,

With routers we use the "ip local policy" to reference a two sequence
route-map that makes sure "traffic leaves out the interface it came in on"
(regardless about what the routing table says to get back to the source, via
default gateway or other wise :). Each Sequence has an acl that permit ip host
x.x.x.x any, where x.x.x.x is the IP Address, and a "set ip next-hop" back to
the incoming interfaces isp next hop of that interface -

ip local policy route-map router-mgmt-traffic

ip access-list extended same-int-dsl

permit ip host 67.100.196.10 any

ip access-list extended same-int-mu1

permit ip host 38.107.178.150 any

route-map router-mgmt-traffic permit 10

description mgmt traffic should leave via same interface it came in on

match ip address same-int-mu1

set ip next-hop 38.107.178.149

!

route-map router-mgmt-traffic permit 20

description mgmt traffic should leave via same interface it came in on

match ip address same-int-dsl

set ip next-hop 67.100.196.9

Now, for the ASA's which don't have local policy or interface policy routing
we need to simply put to equal cost default routes! LOL!

Try it (and make sure you have the crypto map and ike on both interfaces)

Route outside1 0.0.0.0 0.0.0.0 209.10.10.1

Route ousside2 0.0.0.0 0.0.0.0 208.10.10.1

Crypto isakmp enable outside1

Crypto isakmp enable outside2

crypto map outside_map interface outside1

crypto map outside_map interface outside2

It does what I'm doing on IOS using I guess? Xlates? To insure traffic goes
back the way it came in :) I vpn to either public IP :)

-Joe

-----Original Message-----

From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of ron
wilkerson

Sent: Thursday, February 23, 2012 12:54 AM

To: Cisco certification

Subject: Dual Internet w/ dedicated VPN Interface

Hey Guys,

Wondering if anyone out there has tried to use a dedicated interface on an ASA
for remote access VPN's.

Scenario is:

- 2 ISP's, 2 interfaces

- trying to use ISP A for remote access VPN

- use ISP B for everything else

- default route points to ISP B

I understand site to site VPN is doable as you can place static routes for the
static peer. But what about remote access?

I tried to make it work but I wasn't successful.

The VPN profile points to ISP A but the return traffic leaves out of ISP B
interface due to the default route. In the log, I saw this message:

%ASA-6-110003: Routing failed to locate next hop....

So am I trying something that isn't possible with an ASA?

I have this working on a router btw. The router terminates 2 ISP connections.
The remote access VPN terminates on F0/0 but the return path leaves out of
F0/1 and it works.

Thanks,

Ron

Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 23 2012 - 06:36:49 ART