Can I initiate L2L on ASA 5520 Sub-interface?

Unanswered Question
Apr 30th, 2010
User Badges:

Hello guys,


Can I use the external IP address to established (remote peer) IPSec L2L tunnel without physically assigning to the outside interface? Right now outside interface is private facing ISP. I don’t have the leverage to add router. Please let me know how and if below example configuration can meet my situation. The sub-interface IP address will be connecting to the ISP from the ASA 5520 firewall. My PPP link between the two sites is going under maintenance for long time. Thank you in advance!

Example:

interface GigabitEthernet0/0

description untrusted link

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.5

description untrusted link

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end.

Or

interface GigabitEthernet0/0

no shut

interface GigabitEthernet0/0.5

description untrusted link

encapsulation dot1Q 5

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.10

description untrusted link

encapsulation dot1Q 10

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end


Thanks, Eric

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Fri, 04/30/2010 - 15:00
User Badges:
  • Cisco Employee,

Yes, the outside interface can be used for VPN even if it is a subinterface as long as your packets are tagged properly so that the ASA will be able to tell what interface they belong to.


I hope it helps.


PK

Eric Boadu Mon, 05/03/2010 - 10:24
User Badges:

Thank you P!  Could below config work if I use to initiate the tunnel? Since sub-int gi0/0.50 nameif is public and not outside even though on the same physical port. Any static route, NAT, Global or ACL needed? Please advise. Thanks Eric


interface GigabitEthernet0/0
description untrusted link
nameif outside
security-level 0
ip address 101.101.200.3 255.255.255.248 standby 101.101.200.4 << Facing ISP


interface GigabitEthernet0/0.50
description untrusted public subnet
nameif public
security-level 0
ip address ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2 <<


interface GigabitEthernet0/1
description trusted inside lan
nameif inside
security-level 100
ip address 172.16.1.10 255.255.255.0 standby 172.16.1.11


global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 101.101.200.2 101
route inside 172.16.2.0 255.255.255.0 172.16.1.1 101

Actions

This Discussion