cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1591
Views
0
Helpful
3
Replies

ASA with single interface and IP address as a VPN server only

aacole
Level 5
Level 5

I was asked if it is possible to configure an ASA as a VPN RA server using only a single interface and IP address. I said no, but was then told that it is possible, but cannot find any examples of this. All my ASA work has involved using an outside and inside network on seperate subnets.

So, this ASA is to provide VPN termination only, its not used for firewalling between private and public networks.

I dont have any hardware here to try this on, if I configure 1 interface in theory I should be able to get internal users to point to that network for access to the network across the VPN. Also the RA users can use the same IP address to terminate their VPN sessions.

Encrypted and non-encrypted traffic will have to use the same interface, and I'm not sure if this can be done.

My experience tells me this is an invalid configuration, but that is only based on the way I've set up ASA's before.

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

Andy-

So they want a box that terminates the VPN and then access the local network out the same interface? I assume is has a private IP and there is a border firewall that NATs to it? Sounds like an insecure solution.

Todd Pula
Level 7
Level 7

I don't run into this all that frequently but you can certainly configure it on the ASA. The underlying config would be similar to the config you would use if you wanted to hairpin RA client Internet traffic out the same interface on which it was received. This is achieved using the "same-security-traffic permit intra-interface" CLI.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

I had a look at that link before, but didnt think it did what I wanted. Having had another look I see what you mean, I think it will do, so I'll try it next week.

Thanks,

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: