asa 5510 question

[rainbow007]

Hi ,
I got multiple vlans :vlan 10, 20, 30 on cisco 3560 layer switch and with the routing enabled.we have a asa5510 serving the internet both inbound and outbound. also there is site to site vpn setup.

Goal and Intensions:
===============
we have another leased line provided by BT, which we want to use.we have another asa5510 go use against this line.We may need to transfer the existing site to site VPN to this line

My concerns are:
===============
How can i only allow VPN traffic and restrict any other traffic, such as any internet access or any other traffic, so that i can efficiently use the band width?
how can i optimize my bandwidth?
what if i just want to use this ASA5510 for site-to-site vpn PLUS webvpn?
Can somebody throw some examples please
here, you should keep in mind the existing vlans are all pointing to existing ASA5510 to access any web or vpn connections, so what happens when i put the new asa5510 and how can i make sure only vpn traffic from any internal VLAN's go to this second ASA5510 and rest of all the webtraffic stays on Primary ASA 5510?
Any ideas are greately appreciated.
red

 

[Supergrrover]

If you are just going do vpn on the other then you can control it by using access lists applied to the inside interface. - just don't allow internal traffic in that interface destined to anywhere but your vpn. You effectively cut if off for anything but vpn. If you need to restrict the vpn tunnels themselves, disable the sysopt connect permit ipsec and use your ACLs explicitly (this is much harder to configure than it sounds.)

If you have 2 5510's it would be best to do active/active failover. Then one can handle the vpn traffic and the other web/internet traffic and if you have a fail, it switches over. - That's the coolest setup.


Brent
Systems Engineer / Consultant
CCNP, CCSP