06-30-2014 07:35 AM - edited 03-11-2019 09:24 PM
Hi Experts..
Pls help me setting up remote access VPN, i want VPN access to setup with my ip address which is not configured on outside interface. Also all inside ip (say 0.0.0.0) are getting nat with outside interface ip. So in this scenario how is it possible.
--------------------------------------------------------------------------------------------
ASA# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside X.X.X.5 255.255.255.0 manual
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.6 1
----------------------------------------------------------------------------------------------
I want to setup VPN with X.X.X.11 ip. Pls suggest how could i do this.
Solved! Go to Solution.
06-30-2014 09:37 AM
That is true, the ASA can not have two active default routes. so the interface you intend to for the VPN must also be the one that has the default route configured for it.
--
Please remember to select a correct answer and rate helpful posts
06-30-2014 08:11 AM
Hi Anukalp,
What is the version of your ASA?
You want to setup IPSec client base Remote access vpn?
thanks
06-30-2014 08:25 AM
Hi.
ASA software version is 9.1(2), yes i want to setup IPSec client base RA VPN.
06-30-2014 08:32 AM
Hi Anukalp,
Please follow the configuration guide from Cisco link below.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html
If you have a question, let me know.
thanks
Rizwan Rafeek.
06-30-2014 08:50 AM
Hi Rizwan..
I know the RA VPN configuration, my concern is.. could we configure IPSec client base VPN with the ip which is not configured on outside interface but with diferent ip from same segment.
06-30-2014 08:52 AM
Please see my previous answer and suggested resolution for your issue. But in short it is not possible to terminate a VPN tunnel to an IP that is not configured on an ASA interface
--
Please remember to select a correct answer and rate helpful posts
06-30-2014 10:17 AM
Hi Anukalp,
Sorry didn't understand your question before.
"ip which is not configured on outside interface but with diferent ip from same segment."
Yes you can for Anyconnect, as a matter of fact, I have done exactly same setup on my ASA but for IPSec no.
thanks
Rizwan Rafeek.
06-30-2014 10:34 AM
@Rizwan - This is unfortunately not possible on the ASA. Both IPsec and AnyConnect must terminate on the ASA interface so that the ASA can inspect ingress and egress traffic for interesting traffic.
--
Please remember to select a correct answer and rate helpful posts
06-30-2014 08:44 AM
This is not possible, the VPN must terminate on the ASA interface.
an option would be to place a switch between your ASA and your ISP router and then create subinterfaces on your outside interface. Assign the wanted VPN IP to one of the subinterfaces and terminate the VPN on that interface.
so, if you decide or are able to go this route, you could do the following:
interface gig0/0.10
vlan 10
security-level 0
nameif VPN_int
ip add x.x.x.11 255.255.255.0
ip local pool VPNPOOL 10.10.10.1-10.10.10.10
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 5
crypto ipsec ikev1 transform-set VPNSET esp-aes esp-sha-hmac
crypto dynamic-map DYNMAP 65535 set ikev1 transform-set VPNSET
crypto dynamic-map DYNMAP 65535 set reverse-route
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside
crypto ikev1 enable outside
tunnel-group VPNGROUP type remote-access
tunnel-group NAME-OF-VPN-TUNNEL general-attributes
address-pool VPNPOOL
tunnel-group VPNGROUP ipsec-attributes
ikev1 pre-shared-key PASSWORD
management-access inside
--
Please remember to select a correct answer and rate helpful posts
06-30-2014 09:31 AM
Thanks Marius.. but if i create a sub interface then i need to assign name to this interface other than outside and i have put default route vai outside interface and since ASA can not accept two default routes so people sitting on public network would they be able to reach X.X.X.11 ip.
Pls clear this out.
06-30-2014 09:37 AM
That is true, the ASA can not have two active default routes. so the interface you intend to for the VPN must also be the one that has the default route configured for it.
--
Please remember to select a correct answer and rate helpful posts
06-30-2014 09:50 AM
Thanks Marius for clearing thus out.
06-30-2014 09:53 AM
No problem.
Thank you for the rating
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: