Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN-RA

 

Hi Experts..

 Pls help me setting up remote access VPN, i want VPN access to setup with my ip address which is not configured on outside interface. Also all inside ip (say 0.0.0.0) are getting nat with outside interface ip. So in this scenario how is it possible.

--------------------------------------------------------------------------------------------

ASA# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                X.X.X.5   255.255.255.0   manual

 

object network obj_any
 nat (inside,outside) dynamic interface
 

object network obj_any
 subnet 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 X.X.X.6 1
----------------------------------------------------------------------------------------------

I want to setup VPN with X.X.X.11 ip. Pls suggest how could i do this.


 

1 ACCEPTED SOLUTION

Accepted Solutions

That is true, the ASA can not

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
12 REPLIES

Hi Anukalp, What is the

Hi Anukalp,

 

What is the version of your ASA?

You want to setup IPSec client base Remote access vpn?

 

thanks

 

Community Member

 Hi.ASA software version is 9

 

Hi.

ASA software version is 9.1(2), yes i want to setup IPSec client base RA VPN.

Hi Anukalp, Please follow the

Hi Anukalp,

 

Please follow the configuration guide from Cisco link below.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_remote_access.html

 

 

If you have a question, let me know.

 

thanks

Rizwan Rafeek.

Community Member

  Hi Rizwan.. I know the RA

 

 Hi Rizwan..

 

I know the RA VPN configuration, my concern is.. could we configure IPSec client base VPN with the ip which is not configured on outside interface but with diferent ip from same segment.

Please see my previous answer

Please see my previous answer and suggested resolution for your issue.  But in short it is not possible to terminate a VPN tunnel to an IP that is not configured on an ASA interface

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Hi Anukalp, Sorry didn't

Hi Anukalp,

 

Sorry didn't understand your question before.

"ip which is not configured on outside interface but with diferent ip from same segment."

Yes you can for Anyconnect, as a matter of fact, I have done exactly same setup on my ASA but for IPSec no.

 

thanks

Rizwan Rafeek.

 

@Rizwan - This is

@Rizwan - This is unfortunately not possible on the ASA.  Both IPsec and AnyConnect must terminate on the ASA interface so that the ASA can inspect ingress and egress traffic for interesting traffic.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

This is not possible, the VPN

This is not possible, the VPN must terminate on the ASA interface.

an option would be to place a switch between your ASA and your ISP router and then create subinterfaces on your outside interface.  Assign the wanted VPN IP to one of the subinterfaces and terminate the VPN on that interface.
 

so, if you decide or are able to go this route, you could do the following:

interface gig0/0.10
vlan 10
security-level 0
nameif VPN_int
ip add x.x.x.11 255.255.255.0

ip local pool VPNPOOL 10.10.10.1-10.10.10.10

crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 5

crypto ipsec ikev1 transform-set VPNSET esp-aes esp-sha-hmac
crypto dynamic-map DYNMAP 65535 set ikev1 transform-set VPNSET
crypto dynamic-map DYNMAP 65535 set reverse-route
crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP interface outside

crypto ikev1 enable outside

tunnel-group VPNGROUP type remote-access

tunnel-group NAME-OF-VPN-TUNNEL general-attributes
  address-pool VPNPOOL
tunnel-group VPNGROUP ipsec-attributes
 ikev1 pre-shared-key PASSWORD

management-access inside

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
Community Member

 Thanks Marius.. but if i

 

Thanks Marius.. but if i create a sub interface then i need to assign name to this interface other than outside and i have put default route vai outside interface and since ASA can not accept two default routes so people sitting on public network would they be able to reach X.X.X.11 ip.

 

Pls clear this out.

That is true, the ASA can not

That is true, the ASA can not have two active default routes.  so the interface you intend to for the VPN must also be the one that has the default route configured for it.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
Community Member

Thanks Marius for clearing

Thanks Marius for clearing thus out.

No problem.Thank you for the

No problem.

Thank you for the rating smiley

--

Please remember to rate and select a correct answer
71
Views
0
Helpful
12
Replies
CreatePlease to create content