Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Multiple VPNs to ASA vlan interfaces

Dear Experts,

I am trying to setup two ezvpns to two diferent ip addresses configured on vlans in a Cisco ASA firewall. In the physical interface facing the Internet I have the following configuration:

interface ethernet 0/0

     description To INTERNET

     no nameif

     no security-level

     no ip address


interface ethernet 0/0.10

     vlan 10

     nameif Outside

     security-level 0

     ip address


interface ethernet 0/0.20

     vlan 20

     nameif Outside2

     security-level 0

     ip address

The problem is that the VPN (using cisco vpn client from a remote PC) work fine when connecting to the ip address of the Outside Interface ( but it does not work when connecting to the ip address of the Outside2 interface ( The ASA has a route to the source address of the tunnel via the Outside interface, because of that I get the following error when connecting to the ip address of the Outside subinterface:

“Routing failed to locate next hop for icmp from Outside2: to Outside2:”. The is the ip address of the WinXP machine initiating the VPN. Is clear the reason of the failure but I want to know if there is a way a allow the traffic to enter Outside2 and use the route via Outside to complete the VPN. I already applied the commands: "same-security-traffic permit inter-interface" and "same-security-traffic intra-interface" but it does not work. If I create a static route to find the /24 via Outside 2 then communication works but as expected the VPN using the Outside interface stops working. Any help will be greatly appreciated. I have attached a network diagram with some additional information.

Best Regards,



Multiple VPNs to ASA vlan interfaces

Hi Roberto,

What you are trying to do is not possible since it is traffic destined to the ASA itself and which needs to be proccesed by the VPN engine.

If the ISAKMP packet hits the Outside2 interface, then we expect the next packet to hit that same interface, there is no way to have the ASA respond to an ISAKMP packet from a different interface and make the connection work.

Please let me know if this answers your questions.


CreatePlease to create content