Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
4
Replies

Sample Configuration

stuartmullock
Level 1
Level 1

‎07-05-2013 09:31 AM

Hi

Please can someone provide a sample configuration for terminating A VPN on the inside interface which has a private address, passing through the outside interface.

I am OK setting up VPNs on the outside interface but I'm struggling to set one up that goes through the firewall.

Thanks

Stuart

Labels:
0 Helpful
4 Replies 4

Eduardo Aliaga
Level 4
Level 4

‎07-08-2013 07:59 PM

If you're talking about ASA, I think it can't be done, once I tried very hard and that doesn't work as expected.

If you're talking about ISRs then my suggestion is to use a tunnel interface.

0 Helpful

stuartmullock
Level 1
Level 1
In response to Eduardo Aliaga

‎07-09-2013 12:49 AM

Hi Eduardoaliaga

It was on an ASA 5510.

I gave up in the end and got a static IP for the WAN interface. BT provide the No NAT 5 service so I can't be the only one that has come across this issue.

Thanks for the response though.

Thanks

Stuart

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to stuartmullock

‎07-09-2013 12:53 AM

Hi,

Just out of interest, what was the reason to even attempt to configure the VPN on the "inside" interface of the ASA? I have never run into a situation where I would even need to consider such a setup.

- Jouni

0 Helpful

stuartmullock
Level 1
Level 1
In response to stuartmullock

‎07-09-2013 01:21 AM

Hi

The IP address that is assigned to the outside interface (when BT provide 'No NAT 5') is dynamic.

I realise I can set up a VPN with a dynamic address but this will be problematic when dealing with third parties.

The 5 static IP addresses that are assigned are on a different subnet to the one dynamically assigned to the outside interface. BT route the traffic for the static subnet to the dynamically assigned IP address (dynamic peering).

I tried assigning one of the static IPs to an interface and applying the crypto map to the inside (it was a DMZ actually) interface. I also tried NATing the static IP to an inside private address with no luck.

I'd still be interested to know if terminating a VPN through the firewall can be done. There's some stuff on Google that suggests it can be done but I had no success. I couldn't get phase 1 complete. I could see attempts to set it up so the routing and interesting traffic were correctly identified.

Thanks

Stuart

0 Helpful
Customers Also Viewed These Support Documents