cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
0
Helpful
3
Replies

ASA 5510 - Interface Security Level

cdcjim2877
Level 1
Level 1

I have an ASA 5510 (8.2.1 code). I am setting up two separat IPSec tunnels to remote networks, but each remote connection to a respective ASA interface.

Question: I know that the e0/0 ("outside") interface's security level is 0. However, does the second interface, e0/2 ("out2") security level have to be set to 0 as well?

Thanks,

Jim

1 Accepted Solution

Accepted Solutions

Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.

View solution in original post

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

Jim-

0 is the default setting for the interface tagged 'outside'. You can change it if you like. That being said, your 'outside2' interface can be 0 or any other number. It should not matter to the IPSec tunnel what the security level is.

Hope that helps.

Collin - Would it be possible to create a site-to-site vpn endpoint on other ASA interfaces that are not the "outside" interface?

I have a need to have two VPN endpoints on the same ASA device but I need to use separate interfaces (e0/2 and e0/3).

I will still need to maintain Internet access to e0/0 (outside) for the network on e0/1 (inside).

It is not a requirement that the VPN endpoint networks on e0/2 and e0/3 connect to the Internet or "inside" networks...only each other (respectively).

Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: