ASA5520 with 2 Public VPN interfaces

Unanswered Question

We have an ASA5520 with 3 active VPN connections, currently with one active Public interface on a DSL link (8 IP addresses), and an EOL PIX 515 VPN with 7 VPN connections on another Public network (10Mb connection, Class C network).

We need to migrate the VPN tunnels from the 515 to the 5520. I would like to create a new Public Interface on the 5520 in the 10Mb Class C pool, and migrate the 515 tunnels over to this, then move the 3 existing VPN tunnels onto this 10Mb network. Finally, decommission the DSL link and interface.

First, can the ASA5520 support VPN configuration with 2 separate Public IP interfaces, and Second, if this is possible, could I get a configuration example of this setup?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 01/28/2008 - 17:30

Hi Russel

Yes ASA5520 supports VPN configuration for more than one public IP. But...

ASA or PIX cannot have IPs assigned in same subnet to interfaces. For example if you assign the ip address of xxx.xxx.xxx.50 255.255.255.248 from your 8 IP addressed public octet, you can not assign another IP in this subnet to another interface.

Here is a sample config

L2L peer 1=

Peer IP: yyy.yyy.yyy.88

LAN Subnet: 192.168.50.0/24

Pre-shared-key:asdf

L2L peer 2=

Peer IP: aaa.aaa.aaa.25

Lan Subnet: 172.16.10.0/24

Pre-shared-key: jklm

int eth0

nameif outside1

sec 0

no shu

dup au

ip add xxx.xxx.xxx.50 255.255.255.248

int eth1

nameif inside

sec 100

dup au

no shu

ip add anipinlocalnetwork localnetworkmask

int eth2

nameif outside2

sec 1

no shu

dup au

ip add xxx.xxx.xxx.58 255.255.255.248

route outside2 aaa.aaa.aaa.25 255.255.255.255 xxx.xxx.xxx.56

route outside2 172.16.10.0 255.255.255.0 xxx.xxx.xxx.56

route outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.48

access-list peer1 permit ip localnetwork localnetmask 192.168.50.0 255.255.255.0

access-list peer2 permit ip localnetwork localnetmask 172.16.10.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside1_map 10 set peer yyy.yyy.yyy.88

crypto map outside1_map 10 match-address peer1

crypto map outside1_map 10 set transform-set ESP-3DES-MD5

crypto map outside1_map interface outside

crypto map outside2_map 10 set peer aaa.aaa.aaa.25

crypto map outside2_map 10 match-address peer2

crypto map outside2_map 10 set transform-set ESP-3DES-MD5

crypto map outside2_map interface outside

tunnel-group yyy.yyy.yyy.88 type ipsec-l2l

tunnel-group yyy.yyy.yyy.88 ipsec-attributes

pre-shared-key asdf

tunnel-group aaa.aaa.aaa.25 type ipsec-l2l

tunnel-group aaa.aaa.aaa.25 ipsec-attributes

pre-shared-key jklm

crypto isakmp enable outside1

crypto isakmp enable outside2

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

nat (inside) 1 0 0

nat (inside) 0 access-list inside_nat0_outbound

global (outside1) 1 interface

global (outside2) 1 interface

access-list inside_nat0_outbound permit ip localnetwork localnetmask 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound permit ip localnetwork localnetmask 172.16.10.0 255.255.255.0

I might have typos/missings as I have been typing for 30 mins and its late here :) I hope this helps, feel free to ask further questions

Regards

Thank you for this fast response! Even if there are typo's, I can proceed with this project using this information. (Just needed confirmation before proceeding). I am suprised that Cisco does not have this scenario posted as an example, I would think that it would be fairly common to have a single device with 2 separate Internet links, and VPN connections on both of them...

Hope I did not make you stay up too late!... :)

husycisco Wed, 01/30/2008 - 16:11

"Just needed confirmation before proceeding"

I have an ASA 5540 with 2 RA and 8 L2L VPN tunnels terminated in different interfaces. I will be monitoring this question for future questions that may occur during process.

"Hope I did not make you stay up too late"

Dont worry, you didnt :)

You are welcome.

Please dont forget to rate post(s)that was helpful and to check resolved issue if resolved your question

Regards

Actions

This Discussion