Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN using one interface to Peer and LAN

Hi,

I have a ASA 5580 to do site to site VPN with our partner. VPN connection is go through my outside interface and Local LAN for the VPN is from the outside interface too. Is it possible to do it? Thanks.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The layout you describe is

The layout you describe is contrary to the fundamental firewall concept of establishing trusted and untrusted (higher and lower security level) interfaces.

If your local LAN is on the outside interface, what is to stop the remote users from simply accessing it directly? 

2 REPLIES
Hall of Fame Super Silver

The layout you describe is

The layout you describe is contrary to the fundamental firewall concept of establishing trusted and untrusted (higher and lower security level) interfaces.

If your local LAN is on the outside interface, what is to stop the remote users from simply accessing it directly? 

New Member

Dear Marvin, Thanks for your

Dear Marvin,

 

Thanks for your advice.

 

After I change local LAN to other interface on firewall, problem is resolved.

 

The request is to connect Remote LAN are using public IP and Local LAN are using private IP(cannot NAT to public IP for technical reason). That’s why we think to establish VPN tunnel between them.

 

I found another way to resolve it but never try since the problem is resolved.

 

———————————————————————————————————————————————————————————

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

 

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

———————————————————————————————————————————————————————————

 

Anyway, thanks again for your advice. :-)

50
Views
0
Helpful
2
Replies