Friday, January 2, 2009

IPSec tunnels on a dual homed Cisco ASA 5510

I recently had an issue where a client wished to route one IPSec tunnel over one ISP, and another tunnel over another ISP. One ISP was on the outside interface, and the other ISP was on an interface called backup-link.

I assumed, incorrectly, that it was going to be as simple as adding a static route for the IP of the destination to route through the second ISP's gateway. That did allow me to bring up the tunnel, but traffic would not pass.

The route I added was something along the lines of:

route backup-link my.external.address my.netmask my.2nd.isps.gateway 1


As it turns out, the ASA assumes that even IPSec tunneled traffic will be using the default gateway, so I had to add another route like so:

route backup-link my.internal.subnet.at.the.other.office my.netmask my.2nd.isps.gateway 1

And that seemed to work.

3 comments:

Dburn said...

They do a good Job with this software

Dburn said...

Oh yeah , Finally negotiated a monthly retainer with a client that I had been doing sporadic work for.

Now that the printers are paid off I know the income will be there for the basics this year.

The MSI wind is cool. Does it function with MacOS X? Enough processor?

Dburn said...

Hey, I just got a cool geek gadget. A freind of mine reps a microphone line for musicians and the came out with a USB table Mic - retails for $100 or so. It's real cool . Perfect recordings. I'm taking it to to talk to a client about her website with the mini computer. Perfect Combo

Here's the link
http://www.cadmics.com/USB_U7.php