Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
6
Replies

Remote Access - VPN

Rafael Jimenez
Level 4
Level 4

‎01-24-2008 01:32 PM - edited ‎03-11-2019 04:53 AM

I have the following configuration in an ASA5505-SEC-BUN-K8:

!

interface Vlan1

nameif Servers

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Vlan10

nameif internet

security-level 0

ip address 10.0.11.99 255.255.0.0

!

!

interface Vlan90

nameif huespedes

security-level 40

ip address 192.168.90.1 255.255.255.0

!

interface Vlan201

nameif dmz

security-level 50

ip address 201.245.184.225 255.255.255.224

!

interface Vlan254

nameif bogota

security-level 100

ip address 192.168.252.2 255.255.255.252

!

I would like to know on which interface has to enable the vpn ;

crypto map ?????_map interface ????

crypto isakmp enable ?????

My outside interface is called internet.

If i have 30 public ips and the dmz vlan is using one of this public ip's , how need setup my vpn access?.

Thanks

Labels:
0 Helpful
6 Replies 6

ajagadee
Cisco Employee
Cisco Employee

‎01-24-2008 02:40 PM

I would recommend that you apply the crypto map on the interface where your default route is pointing to. The reason is, for Remote Access VPN, the user would be coming from any source IP and for the ASA to route the packets back to the VPN Client, a default route will scale much better.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

Rafael Jimenez
Level 4
Level 4
In response to ajagadee

‎03-06-2008 06:09 AM

what about if my outside interface is not directly connected to the internet. My outside interface in my ASA5500 is conected to the ISP router but the ISP give me a 10.x.x.x/32 subnet.

The ISP routers forward to my firewall the subnet with the publict ip's.

0 Helpful

brettmilborrow
Level 1
Level 1
In response to Rafael Jimenez

‎03-06-2008 06:45 AM

In that case you will not be able to terminate the Remote access VPN's on the firewall unless the ISP NAT's one of your public ip's to your external interface of your ASA.

The only other way around this will be to use some of your public address space on the network between the firewall and ISP router.

0 Helpful

Rafael Jimenez
Level 4
Level 4
In response to brettmilborrow

‎03-07-2008 06:28 AM

if I select the isp NAT option, how need setup the ASA to avoid the NAT-IPSEc issue?.

thanks.

0 Helpful

brettmilborrow
Level 1
Level 1
In response to Rafael Jimenez

‎03-07-2008 03:33 PM

You need to enable nat traversal with the following command:

"isakmp nat-traversal"

Good Luck!

0 Helpful

onlyabhishek007
Level 1
Level 1

‎03-06-2008 11:11 PM

you will enable on the internet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card