Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Remote Access - VPN

I have the following configuration in an ASA5505-SEC-BUN-K8:

!

interface Vlan1

nameif Servers

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Vlan10

nameif internet

security-level 0

ip address 10.0.11.99 255.255.0.0

!

!

interface Vlan90

nameif huespedes

security-level 40

ip address 192.168.90.1 255.255.255.0

!

interface Vlan201

nameif dmz

security-level 50

ip address 201.245.184.225 255.255.255.224

!

interface Vlan254

nameif bogota

security-level 100

ip address 192.168.252.2 255.255.255.252

!

I would like to know on which interface has to enable the vpn ;

crypto map ?????_map interface ????

crypto isakmp enable ?????

My outside interface is called internet.

If i have 30 public ips and the dmz vlan is using one of this public ip's , how need setup my vpn access?.

Thanks

6 REPLIES
Cisco Employee

Re: Remote Access - VPN

I would recommend that you apply the crypto map on the interface where your default route is pointing to. The reason is, for Remote Access VPN, the user would be coming from any source IP and for the ASA to route the packets back to the VPN Client, a default route will scale much better.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: Remote Access - VPN

what about if my outside interface is not directly connected to the internet. My outside interface in my ASA5500 is conected to the ISP router but the ISP give me a 10.x.x.x/32 subnet.

The ISP routers forward to my firewall the subnet with the publict ip's.

New Member

Re: Remote Access - VPN

In that case you will not be able to terminate the Remote access VPN's on the firewall unless the ISP NAT's one of your public ip's to your external interface of your ASA.

The only other way around this will be to use some of your public address space on the network between the firewall and ISP router.

New Member

Re: Remote Access - VPN

if I select the isp NAT option, how need setup the ASA to avoid the NAT-IPSEc issue?.

thanks.

New Member

Re: Remote Access - VPN

You need to enable nat traversal with the following command:

"isakmp nat-traversal"

Good Luck!

New Member

Re: Remote Access - VPN

you will enable on the internet.

155
Views
0
Helpful
6
Replies
CreatePlease to create content