Solved: ASA 5510 - Interface Security Level

cdcjim2877 · ‎06-11-2009

I have an ASA 5510 (8.2.1 code). I am setting up two separat IPSec tunnels to remote networks, but each remote connection to a respective ASA interface.

Question: I know that the e0/0 ("outside") interface's security level is 0. However, does the second interface, e0/2 ("out2") security level have to be set to 0 as well?

Thanks,

Jim

Collin Clark · ‎06-12-2009

Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.

View solution in original post

Collin Clark · ‎06-12-2009

Jim-

0 is the default setting for the interface tagged 'outside'. You can change it if you like. That being said, your 'outside2' interface can be 0 or any other number. It should not matter to the IPSec tunnel what the security level is.

Hope that helps.

cdcjim2877 · ‎06-12-2009

Collin - Would it be possible to create a site-to-site vpn endpoint on other ASA interfaces that are not the "outside" interface?

I have a need to have two VPN endpoints on the same ASA device but I need to use separate interfaces (e0/2 and e0/3).

I will still need to maintain Internet access to e0/0 (outside) for the network on e0/1 (inside).

It is not a requirement that the VPN endpoint networks on e0/2 and e0/3 connect to the Internet or "inside" networks...only each other (respectively).

Collin Clark · ‎06-12-2009

Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.