Remote Access - VPN

Unanswered Question
Jan 24th, 2008

I have the following configuration in an ASA5505-SEC-BUN-K8:


interface Vlan1

nameif Servers

security-level 100

ip address


interface Vlan10

nameif internet

security-level 0

ip address



interface Vlan90

nameif huespedes

security-level 40

ip address


interface Vlan201

nameif dmz

security-level 50

ip address


interface Vlan254

nameif bogota

security-level 100

ip address


I would like to know on which interface has to enable the vpn ;

crypto map ?????_map interface ????

crypto isakmp enable ?????

My outside interface is called internet.

If i have 30 public ips and the dmz vlan is using one of this public ip's , how need setup my vpn access?.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 01/24/2008 - 14:40

I would recommend that you apply the crypto map on the interface where your default route is pointing to. The reason is, for Remote Access VPN, the user would be coming from any source IP and for the ASA to route the packets back to the VPN Client, a default route will scale much better.



** Please rate all helpful posts **

Rafael Jimenez Thu, 03/06/2008 - 06:09

what about if my outside interface is not directly connected to the internet. My outside interface in my ASA5500 is conected to the ISP router but the ISP give me a 10.x.x.x/32 subnet.

The ISP routers forward to my firewall the subnet with the publict ip's.

brettmilborrow Thu, 03/06/2008 - 06:45

In that case you will not be able to terminate the Remote access VPN's on the firewall unless the ISP NAT's one of your public ip's to your external interface of your ASA.

The only other way around this will be to use some of your public address space on the network between the firewall and ISP router.

Rafael Jimenez Fri, 03/07/2008 - 06:28

if I select the isp NAT option, how need setup the ASA to avoid the NAT-IPSEc issue?.


brettmilborrow Fri, 03/07/2008 - 15:33

You need to enable nat traversal with the following command:

"isakmp nat-traversal"

Good Luck!


This Discussion