topic Re: IPSEC VPN termination on different ip in Network Security

IPSEC VPN termination on different ip

christian-goedhart — Fri, 21 Feb 2020 16:06:06 GMT

Hi,

On my asa i have a outside ip address on the outside interface. And i have a subnet routed to said IP. Is it possible for me to use one of the routed ip addresses as gateway for the VPN tunnels? I know you can't make loopback addresses on an ASA but i was wondering if there is a different solution.

Example

interface GigabitEthernet1/1
nameif outside
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

interface Loopback1

nameif VPN

ip address 2.2.2.1 255.255.255.255

crypto map outside_map interface VPN

Except i can't create Loopbacks on an ASA

Re: IPSEC VPN termination on different ip

Dennis Mink — Tue, 14 Aug 2018 08:48:52 GMT

Typically what happens is that you use the public ip address on the outside interface your vpn termination point. and open that IP address for esp and isakmp. is there any particular reason why you want to terminate on a different public IP?

Re: IPSEC VPN termination on different ip

christian-goedhart — Tue, 14 Aug 2018 08:54:04 GMT

The reason is that there is a migration of firewalls. We are moving from a single firewall to a cluster. We did not have a spare ip address in the range to set as a standby address so we changed the outside ip range to one where we had a spare ip address en routed the block that was on the firewall to the new ip address.

We want to terminate on the same ip address that was on the old firewall so we don't have inform all the other parties of the ip change.

Re: IPSEC VPN termination on different ip

Mohammed al Baqari — Tue, 14 Aug 2018 10:22:19 GMT

You can't terminate VPN on another interface of the ASA. This won't work
for other reasons.