×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
Jouni Forss Thu, 01/16/2014 - 07:03
User Badges:
  • Super Bronze, 10000 points or more

Hi,


ASA can only use the IP address configured directly on its interface for a VPN connection.


You could naturally configure a new public subnet on another (new) ASA interface and use the "route" command to both route the remote peer IP and remote network through that interface. That way you would have 2 external interfaces with the IP addresses for VPN use and the new interface wouldnt interfere with the original external interface that holds the default route.


There are many factors that determine if this would be easy to implement. Mostly your ISP and their equipment in front of your ASA.


- Jouni

Steven Williams Thu, 01/16/2014 - 07:12
User Badges:

I have control of the router between my firewall and the ISP ethernet handoff device.

Jouni Forss Thu, 01/16/2014 - 09:26
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I guess there is couple of options when physically connecting the ASA and Router.


  • If you have free ports on both of the devices you could connect those and configure the public subnet between them. I am not sure did you have a small public subnet assigned from the ISP for this new purpose?
  • If you dont have free ports then your option would probably to configure one existing link as a Trunk between the ASA and Router and configure both WAN links as subinterface on each of the devices


I am not sure if you have a router with a public subnet link network both towards the ISP and your ASA or just public subnet towards ISP and private network between Router and ASA while Router is doing NAT for the ASA.


- Jouni

Marvin Rhoads Thu, 01/16/2014 - 07:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

If the ASA is one of the peers then you must bind the site-site VPN to its interface.

Sent from Cisco Technical Support iPad App

Actions

This Discussion