Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Re-direct DMZ IP Back to Outside Interface

My current setup has an ASA and a VPN3k with a public IP in the DMZ.  I've successfully tested using the ASA to terminate VPN connections and am planning on how best to retire the VPN3k.

Here is an example using private range IPs to represent the public IPs:

VPN3k IP -

ASA outside interface IP -

As a temporary measure could I re-direct traffic bound for the VPN3k's public IP to to the ASA's outside interface IP so that the ASA will then terminate the VPN connections?  I realize I'll have to re-create the groups on the VPN3k to tunnel groups on the ASA.  I'm thinking something like this:

static (DMZ,outside) interface netmask

Will this work?

Cisco Employee

Re: Re-direct DMZ IP Back to Outside Interface


This would require that IPSec and ISAKMP be disabled on the ASA completely and that the 3K setup for nat traversal.

If the tunnel requires the use of ESP, protocol 50,  then this will not work.

You would need to create a prot map for each protocol, so in this case UDP/500 and UDP/4500.

static (inside,outside) udp interface isakmp isakmp netmask 255.2552.255.255

static (inside,outside) udp interface 4500 4500 netmask

Hope this helps.

New Member

Re: Re-direct DMZ IP Back to Outside Interface

Thanks for the reply.  Unfortunately ESP is a necessity so this won't work for me.  The TAC came up with a fairly complicated scheme to accomplish this, but I fell back to using the VPN3k to push new config files to the clients.

Cisco Employee

Re: Re-direct DMZ IP Back to Outside Interface


I don't think you can make the connections terminate on the outside of the ASA for a different IP other than the interface IP. You have one of the two options:

1. Keep the 3K

2. Change the IP of the ASA outside interface to that of 3K

Hope this helps.



CreatePlease login to create content