Setup VPN using separate interfaces from ASA to L3 switch

nmoore1978 · ‎11-12-2009

I would like to setup a host-to-net VPN on my dual ASA 5520s. I want to put the VPN traffic on a separate VLAN. I attached a diagram to show what I would like to do. Because I'm using an inline Barracuda web filter I can't send VLAN trunks through the inside interface. So I guess I would have to utilize a separate interface that would send the VPN VLAN around the barracuda. How can I route traffic this way?

My main server VLAN is 192.168.0.0/24 which also has inside interface of the ASA on it. I would like to have the VPN on VLAN 60 (192.168.60.0/24) and force the traffic from the ASA, around the barracuda, and to the switch stack for routing.

Basically, I want VPN sessions to be filtered by the Barracuda unit, just like everyone is at the office. I want incoming VPN sessions to go through a separate interface back to my switch stack and then follow the same path as everyone else out to the Internet for web browsing. I'm assuming that this will involve ACL's on the ASA interfaces.

What is the best way to go about this? Thanks.

-Nick

Todd Pula · ‎11-12-2009

One way you may be able to achieve this is via VLAN mapping. You can trunk the second interface to the switch and configure a VLAN subinterface. You can then associate the VLAN with the VPN client group-policy. You could then configure a tunneled default route or more specific routes via this interfaces.