Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setup VPN using separate interfaces from ASA to L3 switch

I would like to setup a host-to-net VPN on my dual ASA 5520s. I want to put the VPN traffic on a separate VLAN. I attached a diagram to show what I would like to do. Because I'm using an inline Barracuda web filter I can't send VLAN trunks through the inside interface. So I guess I would have to utilize a separate interface that would send the VPN VLAN around the barracuda. How can I route traffic this way?

My main server VLAN is which also has inside interface of the ASA on it. I would like to have the VPN on VLAN 60 ( and force the traffic from the ASA, around the barracuda, and to the switch stack for routing.

Basically, I want VPN sessions to be filtered by the Barracuda unit, just like everyone is at the office. I want incoming VPN sessions to go through a separate interface back to my switch stack and then follow the same path as everyone else out to the Internet for web browsing. I'm assuming that this will involve ACL's on the ASA interfaces.

What is the best way to go about this? Thanks.



Re: Setup VPN using separate interfaces from ASA to L3 switch

One way you may be able to achieve this is via VLAN mapping. You can trunk the second interface to the switch and configure a VLAN subinterface. You can then associate the VLAN with the VPN client group-policy. You could then configure a tunneled default route or more specific routes via this interfaces.