cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
674
Views
0
Helpful
12
Replies

VPN-RA

Anukalp S
Level 1
Level 1

 

Hi Experts..

 Pls help me setting up remote access VPN, i want VPN access to setup with my ip address which is not configured on outside interface. Also all inside ip (say 0.0.0.0) are getting nat with outside interface ip. So in this scenario how is it possible.

--------------------------------------------------------------------------------------------

ASA# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                X.X.X.5   255.255.255.0   manual

 

object network obj_any
 nat (inside,outside) dynamic interface
 

object network obj_any
 subnet 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 X.X.X.6 1
----------------------------------------------------------------------------------------------

I want to setup VPN with X.X.X.11 ip. Pls suggest how could i do this.


 

1 Accepted Solution

Accepted Solutions

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

12 Replies 12

rizwanr74
Level 7
Level 7

Hi Anukalp,

 

What is the version of your ASA?

You want to setup IPSec client base Remote access vpn?

 

thanks

 

 

Hi.

ASA software version is 9.1(2), yes i want to setup IPSec client base RA VPN.

Hi Anukalp,

 

Please follow the configuration guide from Cisco link below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html

 

 

If you have a question, let me know.

 

thanks

Rizwan Rafeek.

 

 Hi Rizwan..

 

I know the RA VPN configuration, my concern is.. could we configure IPSec client base VPN with the ip which is not configured on outside interface but with diferent ip from same segment.

Please see my previous answer and suggested resolution for your issue.  But in short it is not possible to terminate a VPN tunnel to an IP that is not configured on an ASA interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Anukalp,

 

Sorry didn't understand your question before.

"ip which is not configured on outside interface but with diferent ip from same segment."

Yes you can for Anyconnect, as a matter of fact, I have done exactly same setup on my ASA but for IPSec no.

 

thanks

Rizwan Rafeek.

 

@Rizwan - This is unfortunately not possible on the ASA.  Both IPsec and AnyConnect must terminate on the ASA interface so that the ASA can inspect ingress and egress traffic for interesting traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

This is not possible, the VPN must terminate on the ASA interface.

an option would be to place a switch between your ASA and your ISP router and then create subinterfaces on your outside interface.  Assign the wanted VPN IP to one of the subinterfaces and terminate the VPN on that interface.
 

so, if you decide or are able to go this route, you could do the following:

interface gig0/0.10
vlan 10
security-level 0
nameif VPN_int
ip add x.x.x.11 255.255.255.0

ip local pool VPNPOOL 10.10.10.1-10.10.10.10

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 5

crypto ipsec ikev1 transform-set VPNSET esp-aes esp-sha-hmac
crypto dynamic-map DYNMAP 65535 set ikev1 transform-set VPNSET
crypto dynamic-map DYNMAP 65535 set reverse-route
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside

crypto ikev1 enable outside

tunnel-group VPNGROUP type remote-access

tunnel-group NAME-OF-VPN-TUNNEL general-attributes
  address-pool VPNPOOL
tunnel-group VPNGROUP ipsec-attributes
 ikev1 pre-shared-key PASSWORD

management-access inside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

 

Thanks Marius.. but if i create a sub interface then i need to assign name to this interface other than outside and i have put default route vai outside interface and since ASA can not accept two default routes so people sitting on public network would they be able to reach X.X.X.11 ip.

 

Pls clear this out.

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius for clearing thus out.

No problem.

Thank you for the rating smiley

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: