01-28-2008 04:18 PM - edited 02-21-2020 03:30 PM
We have an ASA5520 with 3 active VPN connections, currently with one active Public interface on a DSL link (8 IP addresses), and an EOL PIX 515 VPN with 7 VPN connections on another Public network (10Mb connection, Class C network).
We need to migrate the VPN tunnels from the 515 to the 5520. I would like to create a new Public Interface on the 5520 in the 10Mb Class C pool, and migrate the 515 tunnels over to this, then move the 3 existing VPN tunnels onto this 10Mb network. Finally, decommission the DSL link and interface.
First, can the ASA5520 support VPN configuration with 2 separate Public IP interfaces, and Second, if this is possible, could I get a configuration example of this setup?
01-28-2008 05:30 PM
Hi Russel
Yes ASA5520 supports VPN configuration for more than one public IP. But...
ASA or PIX cannot have IPs assigned in same subnet to interfaces. For example if you assign the ip address of xxx.xxx.xxx.50 255.255.255.248 from your 8 IP addressed public octet, you can not assign another IP in this subnet to another interface.
Here is a sample config
L2L peer 1=
Peer IP: yyy.yyy.yyy.88
LAN Subnet: 192.168.50.0/24
Pre-shared-key:asdf
L2L peer 2=
Peer IP: aaa.aaa.aaa.25
Lan Subnet: 172.16.10.0/24
Pre-shared-key: jklm
int eth0
nameif outside1
sec 0
no shu
dup au
ip add xxx.xxx.xxx.50 255.255.255.248
int eth1
nameif inside
sec 100
dup au
no shu
ip add anipinlocalnetwork localnetworkmask
int eth2
nameif outside2
sec 1
no shu
dup au
ip add xxx.xxx.xxx.58 255.255.255.248
route outside2 aaa.aaa.aaa.25 255.255.255.255 xxx.xxx.xxx.56
route outside2 172.16.10.0 255.255.255.0 xxx.xxx.xxx.56
route outside1 0.0.0.0 0.0.0.0 xxx.xxx.xxx.48
access-list peer1 permit ip localnetwork localnetmask 192.168.50.0 255.255.255.0
access-list peer2 permit ip localnetwork localnetmask 172.16.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside1_map 10 set peer yyy.yyy.yyy.88
crypto map outside1_map 10 match-address peer1
crypto map outside1_map 10 set transform-set ESP-3DES-MD5
crypto map outside1_map interface outside
crypto map outside2_map 10 set peer aaa.aaa.aaa.25
crypto map outside2_map 10 match-address peer2
crypto map outside2_map 10 set transform-set ESP-3DES-MD5
crypto map outside2_map interface outside
tunnel-group yyy.yyy.yyy.88 type ipsec-l2l
tunnel-group yyy.yyy.yyy.88 ipsec-attributes
pre-shared-key asdf
tunnel-group aaa.aaa.aaa.25 type ipsec-l2l
tunnel-group aaa.aaa.aaa.25 ipsec-attributes
pre-shared-key jklm
crypto isakmp enable outside1
crypto isakmp enable outside2
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
nat (inside) 1 0 0
nat (inside) 0 access-list inside_nat0_outbound
global (outside1) 1 interface
global (outside2) 1 interface
access-list inside_nat0_outbound permit ip localnetwork localnetmask 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip localnetwork localnetmask 172.16.10.0 255.255.255.0
I might have typos/missings as I have been typing for 30 mins and its late here :) I hope this helps, feel free to ask further questions
Regards
01-29-2008 09:32 AM
Thank you for this fast response! Even if there are typo's, I can proceed with this project using this information. (Just needed confirmation before proceeding). I am suprised that Cisco does not have this scenario posted as an example, I would think that it would be fairly common to have a single device with 2 separate Internet links, and VPN connections on both of them...
Hope I did not make you stay up too late!... :)
01-30-2008 04:11 PM
"Just needed confirmation before proceeding"
I have an ASA 5540 with 2 RA and 8 L2L VPN tunnels terminated in different interfaces. I will be monitoring this question for future questions that may occur during process.
"Hope I did not make you stay up too late"
Dont worry, you didnt :)
You are welcome.
Please dont forget to rate post(s)that was helpful and to check resolved issue if resolved your question
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide