12-12-2008 03:01 AM - edited 03-11-2019 07:25 AM
Hey,
is it necessary that the interface what we want to use for vpn is simultaneous the outside-interface?
Or is it possible to have one outside-interface and another physical interface for vpn???
greetings
12-12-2008 03:07 AM
Hello Lydia,
Sure you can have VPN terminated at every interface of firewall, with the proper routes for peers and NAT statements are added.
Regards
04-26-2010 11:39 PM
you can allow VPN on inside interfa
ce too, you can put mark in the chekbox, in IPsec connections page(ASDM)
04-27-2010 01:14 PM
Hi Lydia,
You can terminate the vpn on any interface. Let's take the following example:
Router (Remote n/w 192.168.1.1/24)
|
ISP1 ISP2
2.2.2.2 3.3.3.3
| |
outside outside2
\ /
\ /
ASA
|
Inside
Let's say that we have established a L2L tunnel with a router and the network behind the router to which we want to talk is 192.168.1.1/24.
Now, on the ASA we have the default route as follows:
route outside 0 0 2.2.2.2
Now, if the cryptomap is applied on outside2 interface and the tunnel gets initiated from the remote router, the packet would reach the firewall, but when the reply goes, it checks the routing table and sends the packet towards outside interface and it gets dropped. So, we need to have a specific route fro the remote n/w as follows to make it work:
route outside2 192.168.1.0 255.255.255.0 3.3.3.3
HTH
Ashu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide