×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN-RA

Answered Question
Jun 30th, 2014
User Badges:

 

Hi Experts..

 Pls help me setting up remote access VPN, i want VPN access to setup with my ip address which is not configured on outside interface. Also all inside ip (say 0.0.0.0) are getting nat with outside interface ip. So in this scenario how is it possible.

--------------------------------------------------------------------------------------------

ASA# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                X.X.X.5   255.255.255.0   manual

 

object network obj_any
 nat (inside,outside) dynamic interface
 

object network obj_any
 subnet 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 X.X.X.6 1
----------------------------------------------------------------------------------------------

I want to setup VPN with X.X.X.11 ip. Pls suggest how could i do this.


 

Correct Answer by Marius Gunnerud about 3 years 1 month ago

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rizwanr74 Mon, 06/30/2014 - 08:11
User Badges:
  • Gold, 750 points or more

Hi Anukalp,

 

What is the version of your ASA?

You want to setup IPSec client base Remote access vpn?

 

thanks

 

Anukalp S Mon, 06/30/2014 - 08:25
User Badges:

 

Hi.

ASA software version is 9.1(2), yes i want to setup IPSec client base RA VPN.

Anukalp S Mon, 06/30/2014 - 08:50
User Badges:

 

 Hi Rizwan..

 

I know the RA VPN configuration, my concern is.. could we configure IPSec client base VPN with the ip which is not configured on outside interface but with diferent ip from same segment.

Marius Gunnerud Mon, 06/30/2014 - 08:52
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Please see my previous answer and suggested resolution for your issue.  But in short it is not possible to terminate a VPN tunnel to an IP that is not configured on an ASA interface

--

Please remember to select a correct answer and rate helpful posts

rizwanr74 Mon, 06/30/2014 - 10:17
User Badges:
  • Gold, 750 points or more

Hi Anukalp,

 

Sorry didn't understand your question before.

"ip which is not configured on outside interface but with diferent ip from same segment."

Yes you can for Anyconnect, as a matter of fact, I have done exactly same setup on my ASA but for IPSec no.

 

thanks

Rizwan Rafeek.

 

Marius Gunnerud Mon, 06/30/2014 - 10:34
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

@Rizwan - This is unfortunately not possible on the ASA.  Both IPsec and AnyConnect must terminate on the ASA interface so that the ASA can inspect ingress and egress traffic for interesting traffic.

--

Please remember to select a correct answer and rate helpful posts

Marius Gunnerud Mon, 06/30/2014 - 08:44
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

This is not possible, the VPN must terminate on the ASA interface.

an option would be to place a switch between your ASA and your ISP router and then create subinterfaces on your outside interface.  Assign the wanted VPN IP to one of the subinterfaces and terminate the VPN on that interface.
 

so, if you decide or are able to go this route, you could do the following:

interface gig0/0.10
vlan 10
security-level 0
nameif VPN_int
ip add x.x.x.11 255.255.255.0

ip local pool VPNPOOL 10.10.10.1-10.10.10.10

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 5

crypto ipsec ikev1 transform-set VPNSET esp-aes esp-sha-hmac
crypto dynamic-map DYNMAP 65535 set ikev1 transform-set VPNSET
crypto dynamic-map DYNMAP 65535 set reverse-route
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside

crypto ikev1 enable outside

tunnel-group VPNGROUP type remote-access

tunnel-group NAME-OF-VPN-TUNNEL general-attributes
  address-pool VPNPOOL
tunnel-group VPNGROUP ipsec-attributes
 ikev1 pre-shared-key PASSWORD

management-access inside

--

Please remember to select a correct answer and rate helpful posts

Anukalp S Mon, 06/30/2014 - 09:31
User Badges:

 

Thanks Marius.. but if i create a sub interface then i need to assign name to this interface other than outside and i have put default route vai outside interface and since ASA can not accept two default routes so people sitting on public network would they be able to reach X.X.X.11 ip.

 

Pls clear this out.

Correct Answer
Marius Gunnerud Mon, 06/30/2014 - 09:37
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

Marius Gunnerud Mon, 06/30/2014 - 09:53
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

No problem.

Thank you for the rating smiley

Actions

This Discussion