in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 10-14-2016 6:10 AM by cristian.matei. 3 replies.
Page 1 of 1 (4 items)
Sort Posts: Previous Next
  • 10-07-2016 3:00 AM

    VPN ASA Static to Dynamic issue

    Dear all,

    1-I want to make a VPN site to site, static to dynamic, between main and branch offices.

    2- the branch ASA has a dynamic ip address from ISP.

    3- the main ASA have two WAN interfaces ,one of them have a dynamic IP and nated behind a TB-link ADSL router (this WAN interface is used for normal internet traffic ).

    The other WAN interface is connected to a leased line and has a public static IP which couldn't be used unless you have a route to a specific gateway in the ISP, and this WAN interface I want to use for the VPN connection.

    4-on the ASA i have one default route:

     route ousdie 0.0.0.0 0.0.0.0 192.168.1.1 1

    (192.168.1.1 is the IP of TB-link router)

     

    the problem:

    When the branch trys to make a connection to the public static IP on the main office .the main asa replys through the outside interface. and here is my problem because as I said a main ASA should reply through the same interface (leased line interface )becuase leased line public static ip is unusable unless i forwarded to the specific gateway on the ISP.

    I need a way to make the main ASA reply to branch office requests through the leased line interface not through the ouside interface. 

     

     

     

    • Post Points: 20
  • 10-12-2016 10:35 AM In reply to

    Re: VPN ASA Static to Dynamic issue

    Do you have a default route also out the WAN interface?

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 10-12-2016 10:50 PM In reply to

    Re: VPN ASA Static to Dynamic issue

    Yes, as I mentioned before there is a default route on outside interface.

    the Main ASA have 2 WAN : 1- outside: for adsl and has a default route to the adsl router 

                                       route ousdie 0.0.0.0 0.0.0.0 192.168.1.1 1

                                            (192.168.1.1 is the IP of TB-link router)

                                         2- outside2 : conneceted to leased line cable and has an ip 86.25.56.32 

                  this IP 86.25.56.32 COULDN'T REACH the internet until I PUT THE DEAFULT GATEWAY 86.25.56.33

    -The branch tried to reach 86.25.56.33 and it reached but the reply from main ASA notreturn via leased line. it return via outside becuase there is no route to the branch IP (which is dynamic and  i don't know what it is).

     

     

    • Post Points: 20
  • 10-14-2016 6:10 AM In reply to

    Re: VPN ASA Static to Dynamic issue

    Hi,

       You can configure zoning with two default routes for load-balancing and/or high-availability; otherwise you can configure policy based-routing and route all Internet traffic on ISP1 and VPN traffic on ISP B (also in this case you still need ECMP for those two default routes).

    Regards,

    Cristian.

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 5
Page 1 of 1 (4 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved