We have completed the upgrade of IEOC! All posts, comments and user profiles have been migrated. For security reasons, we have reset all passwords. To set a new password please Click Here. Further updates soon to follow.

VPN ASA Static to Dynamic issue

Dear all,

1-I want to make a VPN site to site, static to dynamic, between main and branch offices.

2- the branch ASA has a dynamic ip address from ISP.

3- the main ASA have two WAN interfaces ,one of them have a dynamic IP and nated behind a TB-link ADSL router (this WAN interface is used for normal internet traffic ).

The other WAN interface is connected to a leased line and has a public static IP which couldn't be used unless you have a route to a specific gateway in the ISP, and this WAN interface I want to use for the VPN connection.

4-on the ASA i have one default route:

 route ousdie 0.0.0.0 0.0.0.0 192.168.1.1 1

(192.168.1.1 is the IP of TB-link router)

 

the problem:

When the branch trys to make a connection to the public static IP on the main office .the main asa replys through the outside interface. and here is my problem because as I said a main ASA should reply through the same interface (leased line interface )becuase leased line public static ip is unusable unless i forwarded to the specific gateway on the ISP.

I need a way to make the main ASA reply to branch office requests through the leased line interface not through the ouside interface. 

 

 

 

Comments

  • Do you have a default route also out the WAN interface?

  • Yes, as I mentioned before there is a default route on outside interface.

    the Main ASA have 2 WAN : 1- outside: for adsl and has a default route to the adsl router 

                                       route ousdie 0.0.0.0 0.0.0.0 192.168.1.1 1

                                            (192.168.1.1 is the IP of TB-link router)

                                         2- outside2 : conneceted to leased line cable and has an ip 86.25.56.32 

                  this IP 86.25.56.32 COULDN'T REACH the internet until I PUT THE DEAFULT GATEWAY 86.25.56.33

    -The branch tried to reach 86.25.56.33 and it reached but the reply from main ASA notreturn via leased line. it return via outside becuase there is no route to the branch IP (which is dynamic and  i don't know what it is).

     

     

  • Hi,

       You can configure zoning with two default routes for load-balancing and/or high-availability; otherwise you can configure policy based-routing and route all Internet traffic on ISP1 and VPN traffic on ISP B (also in this case you still need ECMP for those two default routes).

    Regards,

    Cristian.

Sign In or Register to comment.