https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078414#M1069800 <P>Hi Sheraz,</P><P>&nbsp;</P><P>Many thanks for answering all the questions.</P><P>&nbsp;</P><P>Regards</P><P>Mahesh</P> Sat, 02 May 2020 22:35:00 GMT mahesh18 2020-05-02T22:35:00Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078244#M1069780 <P>Hi Everyone,</P><P>&nbsp;</P><P>We have Cisco ASA 5520 configured for remote VPN where users running windows laptop use vpn client software to connect to</P><P>the company network.</P><P>&nbsp;</P><P>Now for new project I need to config site to site IPSEC tunnel for vendor to connect to our network.</P><P>For this I need to use the ASA outside interface.</P><P>Need to know if i config ASA outside interface for site to site ipsec will it cause any issues with ASA config for Remote VPN users?</P><P>Any issues will it cause to Remote VPN connections?</P><P>&nbsp;</P><P>Regards</P><P>Mahesh</P> Sat, 02 May 2020 04:37:41 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078244#M1069780 mahesh18 2020-05-02T04:37:41Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078274#M1069782 Hi.<BR />There should be no issues running a Site-to-Site VPN and Remote Access VPN on the same outside interface.<BR /><BR />HTH Sat, 02 May 2020 07:18:34 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078274#M1069782 Rob Ingram 2020-05-02T07:18:34Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078368#M1069793 <P>This will work fine.&nbsp; I do this all the time.&nbsp; What you do is NAT your interesting traffic to your interface IP with destination of the remote side of the VPN, then configure your site to site VPN with the public IP of your ASA.</P> <P>NAT example:</P> <P><STRONG>object network LOCAL-LAN</STRONG></P> <P><STRONG>&nbsp;subnet 10.1.1.0 255.255.255.0</STRONG></P> <P><STRONG>object network REMOTE-LAN</STRONG></P> <P><STRONG>&nbsp;subnet 11.1.1.0 255.255.255.0</STRONG></P> <P><STRONG>nat (inside,outside) source dynamic LOCAL-LAN interface destination static REMOTE-LAN REMOTE-LAN</STRONG></P> Sat, 02 May 2020 17:54:51 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078368#M1069793 Marius Gunnerud 2020-05-02T17:54:51Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078389#M1069795 <P>Hi Marius,</P><P>&nbsp;</P><P>Happy to see reply from you.</P><P>We are running old code</P><P><BR />Cisco Adaptive Security Appliance Software Version 8.2(5)59<BR />Device Manager Version 6.4(9)</P><P>&nbsp;</P><P>What we want is that inside traffic subnet 10.96.96.0/24 going to vendor network can access the 10.70.160.0/29 network.</P><P>This is&nbsp; Private network connection that goes via our ISP and it is using 172.24.x.x and 10.x.x.x network.</P><P>&nbsp;</P><P>Outside Interface IP is 10.61.10.20.</P><P>We do not want any NAT.</P><P>&nbsp;</P><P>So this NAT config is good&nbsp;</P><P>&nbsp;</P><P>static (inside,outside) 10.96.96.0 10.96.96.0 netmask 255.255.255.0</P><P>&nbsp;</P><PRE>crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400<BR /><BR /></PRE><PRE><STRONG>crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac</STRONG></PRE><P>&nbsp;</P><PRE>access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.010.71.160.0 255.255.255.248<BR /><BR />tunnel-group 172.24.32.115 type ipsec-l2l<BR />tunnel-group 172.24.32.115 ipsec-attributes<BR />pre-shared-key XXXXXXXXXX<BR /><BR /></PRE><PRE>crypto map L2L 1 match address LAN_Traffic crypto map L2L 1 set peer 172.24.32.115 crypto map L2L 1 set transform-set L2L</PRE><PRE><STRONG>crypto map L2L interface outside</STRONG></PRE><P>&nbsp;</P><P>IS this config good.</P><P>Please check?</P><P>&nbsp;</P><P>And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?</P><P>Also I&nbsp; need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?</P> Sat, 02 May 2020 20:02:19 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078389#M1069795 mahesh18 2020-05-02T20:02:19Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078395#M1069796 <P>Yes configuration looks good. however you running old software which is EOL so consider doing upgrade. <A href="http://authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400" target="_self">here</A> document mentioned how to setup a site to site vpn version 8.0.</P> <P>&nbsp;</P> <P>you configuration for nat will be like this</P> <PRE>nat (inside) 0 access-list inside_nat0_outbound ! access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 remote 255.255.255.0 </PRE> <P>&nbsp;</P> <P>And security policy will allow any traffic from 10.96.96.x to 10.70.160.x right?</P> <P>correct.</P> <P>Also I need security policy to allow traffic from vendor to our network if vendor ping from subnet 10.70.160.0 to 10.96.96.2 right?</P> <P>correct</P> Sat, 02 May 2020 20:58:22 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078395#M1069796 Sheraz.Salim 2020-05-02T20:58:22Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078397#M1069797 <P>Need to confirm that NAT config below is correct</P><P>Also this NAT will only apply to the below NAT config right?</P><P>&nbsp;</P><PRE>nat (inside) 0 access-list inside_nat0_outbound<BR /><BR /></PRE><PRE>access-list inside_nat0_outbound extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248</PRE><P>&nbsp;</P> Sat, 02 May 2020 21:04:54 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078397#M1069797 mahesh18 2020-05-02T21:04:54Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078408#M1069799 <P>yes correct. here is the sample configuration.</P> <P>&nbsp;</P> <PRE>crypto isakmp enable outside ! crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! tunnel-group 8.8.8.8 type ipsec-l2l tunnel-group 8.8.8.8 ipsec-attributes pre-shared-key superman ! access-list 100 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto map outside_map 10 set peer 8.8.8.8 crypto map outside_map 10 match address 100 crypto map outside_map 10 set transform-set myset crypto map outside_map 10 set pfs crypto map outside_map interface outside ! group-policy SITE_A internal vpn-tunnel-protocol ipsec ! group-policy SITE_A attributes vpn-idle-timeout none ! tunnel-group 8.8.8.8 general-attributes default-group-policy SITE_A ! NAT Exemption access list that defines the traffic to be exempted from the NAT checks. In this version, it appears similar to the access list that you defined for the traffic of interest: ! access-list nonat line 1 extended permit ip 10.96.96.0 255.255.255.0 10.70.10.0 255.255.248 ! The access list is used with the NAT, as shown here: ! nat (inside) 0 access-list nonat ! Note: The inside here refers to the name of the inside interface on which the ASA receives the traffic that matches the access list. </PRE> Sat, 02 May 2020 22:18:47 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078408#M1069799 Sheraz.Salim 2020-05-02T22:18:47Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078414#M1069800 <P>Hi Sheraz,</P><P>&nbsp;</P><P>Many thanks for answering all the questions.</P><P>&nbsp;</P><P>Regards</P><P>Mahesh</P> Sat, 02 May 2020 22:35:00 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4078414#M1069800 mahesh18 2020-05-02T22:35:00Z https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4079906#M1069873 <P>Seems one thing need too confirm as we want to allow traffic which is initiated&nbsp; from outside to inside like below</P><P>&nbsp;</P><P>access-list outside_acl extended permit tcp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 554 log<BR />access-list outside_acl extended permit tcp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 554 log</P><P>&nbsp;</P><P>Also for inside interface i have below acl already configured say</P><P>&nbsp;</P><P>&nbsp;access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log<BR />access-list inside_acl extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log</P><P>&nbsp;</P><P>&nbsp;</P><P>so in crypto map how i will refer which name i need to refer to?</P><P>&nbsp;</P><P>do i need to create new acl and name it say nonat and config the above acl there?</P> Tue, 05 May 2020 17:12:25 GMT https://community.cisco.com/t5/network-security/using-cisco-asa-outside-interface-for-ipsec-tunnel-and-remote/m-p/4079906#M1069873 mahesh18 2020-05-05T17:12:25Z