I am trying to setup two ezvpns to two diferent ip addresses configured on vlans in a Cisco ASA firewall. In the physical interface facing the Internet I have the following configuration:
interface ethernet 0/0
description To INTERNET
no ip address
interface ethernet 0/0.10
ip address 188.8.131.52 255.255.255.0
interface ethernet 0/0.20
ip address 184.108.40.206 255.255.255.0
The problem is that the VPN (using cisco vpn client from a remote PC) work fine when connecting to the ip address of the Outside Interface (220.127.116.11) but it does not work when connecting to the ip address of the Outside2 interface (18.104.22.168). The ASA has a route to the source address of the tunnel via the Outside interface, because of that I get the following error when connecting to the ip address of the Outside subinterface:
“Routing failed to locate next hop for icmp from Outside2:22.214.171.124 to Outside2:126.96.36.199”. The 188.8.131.52 is the ip address of the WinXP machine initiating the VPN. Is clear the reason of the failure but I want to know if there is a way a allow the traffic to enter Outside2 and use the route via Outside to complete the VPN. I already applied the commands: "same-security-traffic permit inter-interface" and "same-security-traffic intra-interface" but it does not work. If I create a static route to find the 184.108.40.206 /24 via Outside 2 then communication works but as expected the VPN using the Outside interface stops working. Any help will be greatly appreciated. I have attached a network diagram with some additional information.
What you are trying to do is not possible since it is traffic destined to the ASA itself and which needs to be proccesed by the VPN engine.
If the ISAKMP packet hits the Outside2 interface, then we expect the next packet to hit that same interface, there is no way to have the ASA respond to an ISAKMP packet from a different interface and make the connection work.
Please let me know if this answers your questions.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :