Cisco ASA with Dual ISPs one for Internet and one for VPN example

I had a situation recently where  the 2Mb Internet connection at one of our offices was becoming congested. To try and allieve the congestion I had a new ADSL line installed at the office with the intention on splitting traffic through the ASA. On the ASA 5505 it is not possible to load balance beween the ISPs, so I thought I would leave the exisitng 2Mb connection for VPN traffic only and use the new ADSL connection for Internet traffic. It took me a while to figure out how to do this, and so I thought I would document it here, because actually the solution is pretty simple.

In order to achieve this all you have to do is set up static routes to define the default route through one connection, and the remote VPN peer, and traffic destined for the remote LAN subnet through the other connection. The diagram below explains the set up in a bit more detail:

Cisco ASA with 2 ISPs one for Internet and One for VPN

Cisco ASA with 2 ISPs one for Internet and One for VPN

Firstly set up 3 vlans and their interface associations:

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 12

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address

interface Vlan2

nameif VPN

security-level 0

ip address

interface Vlan12

no forward interface Vlan1        (If using a security plus or higher license on your ASA 5505 you may not need this command in your set up)

nameif Internet

security-level 50

ip address

You then need to configure your static routes:

route Internet 1 

(ASA sends all traffic out of this default route via the ISP 1 ADSL connection, unless defined in the other static routes below)

route VPN 1   

 (This static route sends all traffic destined for the remote office subnet i.e. the interesting traffic defined for encryption, over the VPN via the ISP 2 connection)

route VPN 1  

(This static route sends all traffic destined for the remote office VPN Peer via the ISP 2 connection)

The actual setup of the site to site VPN connection is beyond the scope of this article but there is plenty of information elsewhere.

allow PPTP client through Cisco ASA 8.4 to external PPTP server

In order to allow a PPTP VPN client through a Cisco ASA firewall in order to access an external PPTP server you need to add the following to your configuration.

policy-map global_policy

class inspection_default

inspect pptp

Allow access to DMZ or other remote Vlan over VPN tunnel on Cisco ASA 8.4

I recently needed to provide internal access to a DMZ Vlan at one of my remote sites over a VPN tunnel. The VPN tunnel was provided by 2 Cisco ASA 5505 firewalls both running ASA software versions more recent than 8.4. The LAN subnets in this example can be defined as follows:

Main Office Subnet:

Remote Office Subnet:

Remote Office DMZ Subnet:

This article assumes that you already have the site to site VPN tunnel set up between the main office ( subnet and the remote office ( subnet, and that you have already created a network object for your main office subnet called main-office-lan, and for your remote office subnet called remote-office-lan on both ASAs. It also assumes that your DMZ interface on the remote ASA is called ‘dmz‘, and that you have an ACL defining interesting VPN traffic called main-remote-vpn on both ASAs.

Firstly create a network object for the remote office DMZ on both the main office and remote office ASAs. In configuration mode add the following two commands

object network remote-office-dmz


Next create a network object group for the 2 subnets at your remote site on both the main office and remote office ASAs

object-group network remote-office-networks
network-object object remote-office-lan
network-object object remote-office-dmz

Next, on the remote office ASA exempt traffic from the remote office DMZ subnet, to main office subnet from Network Address Translation (NAT) on the outside interface. i.e. traffic that will be travelling from the to the subnet over the VPN tunnel. In configuration mode add the following command:

nat (dmz,outside) source static remote-office-dmz remote-office-dmz destination static main-office-lan main-office-lan

Then on the remote office ASA change the ACL that defines interesting traffic for your site to site vpn tunnel (in this case called main-remote-vpn) to include the the dmz subnet, by using the network object group that you created earlier:

access-list main-remote-vpn extended permit ip object-group remote-office-networks object main-office-lan

Next you need to modify the configuration of the main office ASA to exempt traffic travelling over the VPN tunnel to the remote office DMZ from NAT, and also add the remote office subnet to the ACL that defines interesting traffic for your site to site VPN tunnel:

Modify the NAT rule on the main office ASA in config mode:

nat (inside,outside) source static main-office-lan main-office-lan destination static remote-office-networks remote-office-networks

Then modify the ACL that defines your site to site VPN traffic in config mode:

access-list main-remote-vpn extended permit ip object main-office-lan object-group remote-office-networks

Thats it, you should now be able to connect to hosts in the DMZ at you remote site over your site to site VPN connection. If you have multiple site to site VPNs from your main office network you may need to tweak this config , but the theory is the same.

PLEASE NOTE: This configuration will allow hosts in the DMZ at your remote site to connect to any hosts in your main office network! Clearly in most cases this will not be desirable, unless the additional remote Vlan is not a DMZ and performs some other function, which is not exposed directly to the Internet (which was the situation in my case). In any event you may wish to use VPN filters  to restrict traffic from the remote DMZ Vlan to your main office, or by disabling sysopt connection permit-vpn using the no sysopt connection permit-vpn command and applying ACLs to your outside interface. Excercise caution when applying either of these types of filtering to make sure you don’t restrict yourself from the site to site VPN tunnel.

Cisco ASA (8.4) to PIX (6.x) Site to Site VPN example

Here is a basic example of a site to site VPN between a Cisco ASA firewall running version 8.3 or higher, and a Cisco PIX firewall running version 6.x

Configuration for the Cisco ASA side of the connection:

Define network objects for your internal subnets:

object network Main-Office

object network Branch-Office

Create an access list for the VPN traffic using the network objects that you have created:

access-list VPN-to-Branch-Office extended permit ip object Main-Office object Branch-Office

Use double NAT (effictively no nat) to ensure the traffic travelling across the VPN tunnel will not have NAT applied to it:

nat (inside,outside) source static Main-Office Main-Office destination static Branch-Office Branch-Office

Create a transform set using the encryption of your choice, in this case AES 128:

crypto ipsec ikev1 transform-set myset-aes128 esp-aes esp-sha-hmac

Ensure IKE version 1 is enabled on the outside interface:

crypto ikev1 enable outside

Create a policy for phase 1 of the VPN connection:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Configure a tunnel group containing the Pre Shared Key:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev1 pre-shared-key My53cr3tPSK

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 match address VPN-to-Branch-Office
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer            (This should be set to the ip of the outside interface of the PIX you are connecting to)
crypto map myvpnmap 10 set ikev1 transform-set myset-aes128
crypto map myvpnmap interface outside


Configuration for the Cisco PIX side of the connection:

Configure an access list for the VPN tunnel:

access-list 100 permit ip

Make sure NAT is not applied to traffic passing across the VPN tunnel:

nat (inside) 0 access-list 100

Configure the PIX to permit IPSEC:

sysopt connection permit-ipsec

Create a policy for phase 1 of the VPN connection:

isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

Configure keepalives to match the default setting on the ASA of 10 seconds retry 2 seconds:

isakmp keepalive 10

Create a transform set to match the ASA end of the connection, in this case AES 128:

crypto ipsec transform-set myset-aes128 esp-aes esp-sha-hmac

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 ipsec-isakmp
crypto map myvpnmap 10 match address 100
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer               (This should be set to the ip of the outside interface of the ASA you are connecting to)
crypto map myvpnmap 10 set transform-set myset-aes128
crypto map myvpnmap interface outside

Configure the Pre Shared Key to match the other end of the connection

isakmp key My53cr3tPSK address netmask no-xauth no-config-mode

Quick basic configuration of a Cisco ASA firewall for custom IP address and ASDM access

Here are a few quick commands to wipe a Cisco ASA series firewall, resetting it to factory defaults, and then enabling the device for an IP address on your own subnet rather than the default, as well as setting up ASDM and telnet and ssh access. This gives you a very basic configuration from which you can access the device. First connect to the device via the console port and run the following commands to wipe the device:

ciscoasa> enable

ciscoasa# conf t

ciscoasa(config)# configure factory-default

Once the device has loaded the default configuration, disable DHCP on the inside interface to prevent the device dishing out IP addresses. This may not be relevant in your environment but in ours DHCP is provided elsewhere:

ciscoasa(config)# no dhcpd enable inside

ciscoasa(config)# no dhcpd address inside

Set the ip address for the inside LAN on interface vlan1 if this is the vlan you are using for the inside network:

ciscoasa(config)# int vlan1

ciscoasa(config-if)# ip address

ciscoasa(config-if)# exit

Enable the http server, and allow access from the inside subnet

ciscoasa(config)# http server enable

ciscoasa(config)# http inside

Configure the local AAA authentication database and create a new user account to log in to ASDM with:

ciscoasa(config)# aaa authentication http console LOCAL

ciscoasa(config)# username oasysadmin password Pa55word

Enable telnet and/or ssh on the inside interface if required:

ciscoasa(config)# telnet inside

ciscoasa(config)# ssh inside

ciscoasa(config)# aaa authentication ssh console LOCAL

Set the enable password

ciscoasa(config)# enable password Pa55word

Save the configuration and reload

ciscoasa(config)# write mem

ciscoasa(config)# exit

ciscoasa# reload

Upgrading the ASA and ADSM software on a Cisco ASA series firewall

Firstly telnet or ssh in to your ASA device, in this example I am using an ASA 5505 with a security plus license installed.


Type in your telnet password. At the prompt type:


At this stage you can use the show version command to show the current running ASA software version. The show bootvar command will also show you which software image file the device is using. Next type:

show disk0:

This will show you the current contents of your flash memory and also the amount of free space. It is important that you check that there is enough free space in flash memory to accomodate the new image files that you want to upload before doing so. In this example the current running versions were:



I also noticed a couple of other software images taking up space in the flash memory which were asa831-k8.bin and asdm-631.bin. Knowing that these were not currently in use, and that I would be upgrading to a more recent version I decided to delete these to free up space by issuing the following commands:

delete asa831-k8.bin

delete asdm-631.bin

Having downloaded asa842.bin and asdm645-206.bin from, I next copied these the the flash memory on the ASA, as shown in the prompts and commands below:

copy tftp disk0:

address or name of remote host []?   Press ‘Return’ to confirm or enter a different ip address for an alternative tftp server

source filename [asa821-k8.bin]? asa842-k8.bin

destination filename [asa842-k8.bin]? Press return to confirm the destination filename

Ths ASA software image will copy from the tftp server to flash memory.

copy tftp disk0:

address or name of remote host []?   Press ‘Return’ to confirm or enter a different ip address for an alternative tftp server

source filename [asa821-k8.bin]? asdm-645-206.bin

destination filename [asdm-645-206.bin]? Press return to confirm the destination filename

The ASDM software image will copy from the tftp server to flash memory.

Enter configuration mode:

conf t

Next set the new ASA software image to be the boot image using the following command:

boot system disk0:/asa842-k8.bin

Then set the new ASDM software image to be the preferred ASDM image:

asdm image disk0:/asdm-645-206.bin

Issuing the following commands to save these settings:


write mem

and then the following command to restart the ASA device:


At this stage you should be done although in this example I came up against another issue that I will explain for completeness. After rebooting the ASA the device came up fine but on trying to access ASDM, after logging in the status bar would hang on 15% with a status of ‘Discovering Device Information’. I was unable to access ASDM. Notes on explained that after the software upgrade is completed the system will upgrade the configuration on the following boot. When upgrading from 8.2.1 to 8.4.2 the subsequent configuration upgrade caused an error log to be written to flash in the format:


These error logs can be viewed by issuing the command:

show startup-config errors

In this case the content of these log files was:

INFO: MIGRATION – Saving the startup errors to file ‘flash:upgrade_startup_errors_201112201404.log’ Reading from flash… ! REAL IP MIGRATION: WARNING In this version access-lists used in ‘access-group’, ‘class-map’, ‘dynamic-filter classify-list’, ‘aaa match’ will be migrated from using IP address/ports as seen on interface, to their real values. If an access-list used by these features is shared with per-user ACL then the original access-list has to be recreated. INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces are not detectable by automated Real IP migration. If your deployment contains such scenarios, please verify your migrated configuration is appropriate for those overlapping addresses/ranges. Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated migration process.

INFO: MIGRATION – Saving the startup configuration to file

INFO: MIGRATION – Startup configuration saved to file ‘flash:8_2_1_0_startup_cfg.sav’ *** Output from config line 4, “ASA Version 8.2(1) ” NAT migration logs: INFO: NAT migration completed. Real IP migration logs:  No

In order to complete the configuration upgrade it was necessary to save the config to memory as stated here:

write mem

After restarting the ASA device a second time ASDM was accessible, and the upgrade was complete.


Cisco ASA 5500 Migration to Version 8.3 and Later

Release Notes for the Cisco ASA 5500 Series, 8.4(x)

PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example