topic Re: ASA VPN Interface should be outside interface? in Network Security

ASA VPN Interface should be outside interface?

lydia.walther — Mon, 11 Mar 2019 14:25:14 GMT

Hey,

is it necessary that the interface what we want to use for vpn is simultaneous the outside-interface?

Or is it possible to have one outside-interface and another physical interface for vpn???

greetings

Re: ASA VPN Interface should be outside interface?

Alan Huseyin Kayahan — Fri, 12 Dec 2008 11:07:25 GMT

Hello Lydia,

Sure you can have VPN terminated at every interface of firewall, with the proper routes for peers and NAT statements are added.

Regards

Re: ASA VPN Interface should be outside interface?

laptev.valery — Tue, 27 Apr 2010 06:39:36 GMT

you can allow VPN on inside interfa

ce too, you can put mark in the chekbox, in IPsec connections page(ASDM)

Re: ASA VPN Interface should be outside interface?

astripat — Tue, 27 Apr 2010 20:14:43 GMT

Hi Lydia,

You can terminate the vpn on any interface. Let's take the following example:

Router (Remote n/w 192.168.1.1/24)

ISP1 ISP2

2.2.2.2 3.3.3.3

| |

outside outside2

\ /

ASA

Inside

Let's say that we have established a L2L tunnel with a router and the network behind the router to which we want to talk is 192.168.1.1/24.

Now, on the ASA we have the default route as follows:

route outside 0 0 2.2.2.2

Now, if the cryptomap is applied on outside2 interface and the tunnel gets initiated from the remote router, the packet would reach the firewall, but when the reply goes, it checks the routing table and sends the packet towards outside interface and it gets dropped. So, we need to have a specific route fro the remote n/w as follows to make it work:

route outside2 192.168.1.0 255.255.255.0 3.3.3.3

HTH

Ashu.