08-16-2010 06:12 AM - edited 03-11-2019 11:25 AM
My current setup has an ASA and a VPN3k with a public IP in the DMZ. I've successfully tested using the ASA to terminate VPN connections and am planning on how best to retire the VPN3k.
Here is an example using private range IPs to represent the public IPs:
VPN3k IP - 192.168.100.1
ASA outside interface IP - 192.168.0.1
As a temporary measure could I re-direct traffic bound for the VPN3k's public IP to to the ASA's outside interface IP so that the ASA will then terminate the VPN connections? I realize I'll have to re-create the groups on the VPN3k to tunnel groups on the ASA. I'm thinking something like this:
static (DMZ,outside) interface 192.168.100.1 netmask 255.255.255.255
Will this work?
08-19-2010 11:27 AM
Hi,
This would require that IPSec and ISAKMP be disabled on the ASA completely and that the 3K setup for nat traversal.
If the tunnel requires the use of ESP, protocol 50, then this will not work.
You would need to create a prot map for each protocol, so in this case UDP/500 and UDP/4500.
static (inside,outside) udp interface isakmp 192.168.100.1 isakmp netmask 255.2552.255.255
static (inside,outside) udp interface 4500 192.168.100.1 4500 netmask 255.255.255.255
Hope this helps.
08-20-2010 06:04 AM
Thanks for the reply. Unfortunately ESP is a necessity so this won't work for me. The TAC came up with a fairly complicated scheme to accomplish this, but I fell back to using the VPN3k to push new config files to the clients.
08-20-2010 01:24 PM
Hello,
I don't think you can make the connections terminate on the outside of the ASA for a different IP other than the interface IP. You have one of the two options:
1. Keep the 3K
2. Change the IP of the ASA outside interface to that of 3K
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide