ASA VPN Interface should be outside interface?

Unanswered Question
Dec 12th, 2008

Hey,

is it necessary that the interface what we want to use for vpn is simultaneous the outside-interface?

Or is it possible to have one outside-interface and another physical interface for vpn???

greetings

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 12/12/2008 - 03:07

Hello Lydia,

Sure you can have VPN terminated at every interface of firewall, with the proper routes for peers and NAT statements are added.

Regards

laptev.valery Mon, 04/26/2010 - 23:39

you can allow VPN on inside interfa

ce too, you can put mark in the chekbox, in IPsec connections page(ASDM)

astripat Tue, 04/27/2010 - 13:14

Hi Lydia,

You can terminate the vpn on any interface. Let's take the following example:

  Router (Remote n/w 192.168.1.1/24)

                  |

       ISP1   ISP2

2.2.2.2      3.3.3.3

    |                 |

outside        outside2

     \          /

      \        /

          ASA

            |

       Inside

Let's say that we have established a L2L tunnel  with a router and the network behind the router to which we want to talk is 192.168.1.1/24.

Now, on the ASA we have the default route as follows:

route outside 0 0 2.2.2.2

Now, if the cryptomap is applied on outside2 interface and the tunnel gets initiated from the remote router, the packet would reach the firewall, but when the reply goes, it checks the routing table and sends the packet towards outside interface and it gets dropped. So, we need to have a specific route fro the remote n/w as follows to make it work:

route outside2 192.168.1.0 255.255.255.0  3.3.3.3

HTH

Ashu.

Actions

This Discussion