Re: Dual Internet w/ dedicated VPN Interface from Raphael Kruczkowski on 2012-02-24 (Ccielab archives 02/2012)

From: Raphael Kruczkowski <kruczkowski_at_gmail.com>
Date: Fri, 24 Feb 2012 15:00:09 -0800

Had a similar issue with the management int on the ASA where I wanted
separate this traffic from production. I could get it to work for
SSH, but not ICMP. Answer from TAC was that this is not possible and
the reason SSH worked was that it has it's own routing table, separate
from the firewall.

Good luck if you get this to work, but I gave up with doing any
routing on the ASA.

On Thu, Feb 23, 2012 at 2:36 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar> wrote:
> There is a trick published on cisco support forums based on policy based
> NAT. It may work for you if your primary traffic is of known types (I was
> thinking about http and https), so you can force those to
> ISP B and let the "main" default route go to ISP A.
>
> https://supportforums.cisco.com/docs/DOC-6069
>
> -Carlos
>
> ron wilkerson @ 23/02/2012 02:53 -0300 dixit:
>
>> Hey Guys,
>> Wondering if anyone out there has tried to use a dedicated interface on an
>> ASA for remote access VPN's.
>> Scenario is:
>> - 2 ISP's, 2 interfaces
>> - trying to use ISP A for remote access VPN
>> - use ISP B for everything else
>> - default route points to ISP B
>>
>> I understand site to site VPN is doable as you can place static routes for
>> the static peer. But what about remote access?
>> I tried to make it work but I wasn't successful.
>> The VPN profile points to ISP A but the return traffic leaves out of ISP B
>> interface due to the default route. In the log, I saw this message:
>>
>> %ASA-6-110003: Routing failed to locate next hop....
>>
>> So am I trying something that isn't possible with an ASA?
>>
>> I have this working on a router btw. The router terminates 2 ISP
>> connections. The remote access VPN terminates on F0/0 but the return path
>> leaves out of F0/1 and it works.
>>
>> Thanks,
>> Ron
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 24 2012 - 15:00:09 ART

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART