ASA VPN Interface should be outside interface?

Unanswered Question
Dec 12th, 2008
User Badges:


is it necessary that the interface what we want to use for vpn is simultaneous the outside-interface?

Or is it possible to have one outside-interface and another physical interface for vpn???


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Fri, 12/12/2008 - 03:07
User Badges:
  • Gold, 750 points or more

Hello Lydia,

Sure you can have VPN terminated at every interface of firewall, with the proper routes for peers and NAT statements are added.


laptev.valery Mon, 04/26/2010 - 23:39
User Badges:

you can allow VPN on inside interfa

ce too, you can put mark in the chekbox, in IPsec connections page(ASDM)

astripat Tue, 04/27/2010 - 13:14
User Badges:

Hi Lydia,

You can terminate the vpn on any interface. Let's take the following example:

  Router (Remote n/w


       ISP1   ISP2

    |                 |

outside        outside2

     \          /

      \        /




Let's say that we have established a L2L tunnel  with a router and the network behind the router to which we want to talk is

Now, on the ASA we have the default route as follows:

route outside 0 0

Now, if the cryptomap is applied on outside2 interface and the tunnel gets initiated from the remote router, the packet would reach the firewall, but when the reply goes, it checks the routing table and sends the packet towards outside interface and it gets dropped. So, we need to have a specific route fro the remote n/w as follows to make it work:

route outside2




This Discussion