Cisco ASA with Dual ISPs one for Internet and one for VPN example

I had a situation recently where  the 2Mb Internet connection at one of our offices was becoming congested. To try and allieve the congestion I had a new ADSL line installed at the office with the intention on splitting traffic through the ASA. On the ASA 5505 it is not possible to load balance beween the ISPs, so I thought I would leave the exisitng 2Mb connection for VPN traffic only and use the new ADSL connection for Internet traffic. It took me a while to figure out how to do this, and so I thought I would document it here, because actually the solution is pretty simple.

In order to achieve this all you have to do is set up static routes to define the default route through one connection, and the remote VPN peer, and traffic destined for the remote LAN subnet through the other connection. The diagram below explains the set up in a bit more detail:

Cisco ASA with 2 ISPs one for Internet and One for VPN

Cisco ASA with 2 ISPs one for Internet and One for VPN

Firstly set up 3 vlans and their interface associations:

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 12

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.254 255.255.255.0

interface Vlan2

nameif VPN

security-level 0

ip address 172.16.1.1 255.255.255.0

interface Vlan12

no forward interface Vlan1        (If using a security plus or higher license on your ASA 5505 you may not need this command in your set up)

nameif Internet

security-level 50

ip address 192.168.1.1 255.255.255.0

You then need to configure your static routes:

route Internet 0.0.0.0 0.0.0.0 192.168.1.254 1 

(ASA sends all traffic out of this default route via the ISP 1 ADSL connection, unless defined in the other static routes below)

route VPN 10.2.2.0 255.255.255.0 172.16.1.254 1   

 (This static route sends all traffic destined for the remote office subnet i.e. the interesting traffic defined for encryption, over the VPN via the ISP 2 connection)

route VPN 172.16.2.1 255.255.255.255 172.16.1.254 1  

(This static route sends all traffic destined for the remote office VPN Peer via the ISP 2 connection)

The actual setup of the site to site VPN connection is beyond the scope of this article but there is plenty of information elsewhere.

Advertisements

3 Responses to Cisco ASA with Dual ISPs one for Internet and one for VPN example

  1. Abdulhafeez Dangusau says:

    Reblogged this on Abdulhafeez Dangusau's Blog.

  2. Davis hayes says:

    Thanks! After a day of troubleshooting, I was missing 1 route statement. Thanks to you and Google!

  3. Georgi Ksotov says:

    Hi, Regards for that useful tutorial. Is it possible to accomplish that but for a remote access vpn, not site-to-site vpn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: