Re: ASA with dedicated VPN interface thats on the same subnet as

danielkaiser · ‎05-16-2006

I was wondering if this is possible or if there is another way around this.

Is it possible to configure the VPN feature on a different interface than the "outside" interface. I want users to connect to a different ip address and interface when connecting through VPN. My goal was to use an interface and name it "vpn" with a security level of 0. The ip address of the vpn interface would be on the same subnet as the outside. This is where I get a error message stating that the subnet overlaps the "outside" interface. Any help would be greatly appreciated.

Fernando_Meza · ‎05-16-2006

Hi .. you can't allocate two IP addresses on the same range to two interfaces unless you want to use your firewall in transparent mode.

so you only have 2 options:

1.- get another public range and allocate it to one of the other interfaces. this interface will terminate the VPN connections.

2.- You could use one of the other interfaces.For example configure one of the interfaces with security level = 1 and address 192.168.1.11/24

and then create a static instruction

static (VPN_interface,outside) x.x.x.x 192.168.1.11 netmask 255.255.255.255

where x.x.x.x is a public address from the availble public range.

I hope it helps ... please rate it if it does !!!

danielkaiser · ‎05-17-2006

Fernando thanks for the info. Would you recommend going with option 2 if we don't have another public range or just using the outside interface for incoming/outing and vpn traffic. Thanks for your advice.

ASA with dedicated VPN interface thats on the same subnet as outside