Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

Site to Site VPN using one interface to Peer and LAN

Go to solution
Leo Liu
Level 1
Level 1

‎04-08-2014 12:04 AM

Hi,

I have a ASA 5580 to do site to site VPN with our partner. VPN connection is go through my outside interface and Local LAN for the VPN is from the outside interface too. Is it possible to do it? Thanks.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-08-2014 06:14 AM

The layout you describe is contrary to the fundamental firewall concept of establishing trusted and untrusted (higher and lower security level) interfaces.

If your local LAN is on the outside interface, what is to stop the remote users from simply accessing it directly? 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-08-2014 06:14 AM

The layout you describe is contrary to the fundamental firewall concept of establishing trusted and untrusted (higher and lower security level) interfaces.

If your local LAN is on the outside interface, what is to stop the remote users from simply accessing it directly? 

0 Helpful

Go to solution
Leo Liu
Level 1
Level 1
In response to Marvin Rhoads

‎04-09-2014 07:38 PM

Dear Marvin,

 

Thanks for your advice.

 

After I change local LAN to other interface on firewall, problem is resolved.

 

The request is to connect Remote LAN are using public IP and Local LAN are using private IP(cannot NAT to public IP for technical reason). That’s why we think to establish VPN tunnel between them.

 

I found another way to resolve it but never try since the problem is resolved.

 

———————————————————————————————————————————————————————————

http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html#wp1383263

 

The same-security-traffic intra-interface command lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an interface, but is then routed out the same interface. The VPN traffic might be unencrypted in this case, or it might be reencrypted for another VPN connection. For example, if you have a hub and spoke VPN network, where the security appliance is the hub, and remote VPN networks are spokes, for one spoke to communicate with another spoke, traffic must go into the security appliance and then out again to the other spoke.

———————————————————————————————————————————————————————————

 

Anyway, thanks again for your advice. :-)

0 Helpful
Customers Also Viewed These Support Documents