topic Re: ASA VPN Endpoint in Network Security

ASA VPN Endpoint

ardealului — Mon, 11 Mar 2019 14:20:59 GMT

I have the following setup:

private IP ((non-routable) IP on the outside Interface that goes into a Router with the public (routable) IP Address) <-> ASA <-> IP DMZ (internal Interface with routable IP)

What i want to achieve is to be able to establish vpn tunnels (road warrior, not site-to-site) to the inside Interface (routable IP) and not the outside interface (non-routable IP).

Is this even possible ?

let me elaborate a bit:

the idea is that the outside interface of the ASA has a private IP Address. This means that this address is not routable, so i cannot use it to connect the vpn clients to it. What i want to achieve is to be able to use the IP Address of the same ASA that resides on the DMZ Interface (which is a public/routable IP Address).

The problem is that even if i enable management-access on that interface, i have no idea if i would be able to connect to it. And since this is part of a larger ASA Production Setup, i cannot really play around with the IP Addresses (the simple way would be to subnet my dmz further and assign a small subnet on the outside interface of the asa to the border routers).

Anyway, anybody, please let me know if i can terminate vpn tunnels on the inside interface of an ASA.

Re: ASA VPN Endpoint

andrew.prince — Fri, 05 Dec 2008 15:59:01 GMT

You will still have to connect to a public routeable IP address. You can do what you want to do - you just enable the ISAKMP/IPSEC termination on the DMZ interface. You will have to have a static NAT entry to allow this to happen - as I do not think you can perform PAT for IPSEC.

HTH>

Re: ASA VPN Endpoint

noc — Tue, 13 Jan 2009 02:13:27 GMT

Hi Andrew:

I'm trying to do the same thing as the original poster. My OUTSIDE interface has an non-routable private IP address and the INSIDE interface has static public IP address.

I want to terminate my VPNs on the INSIDE interface, but that's not working with a fresh ASA configuration with everything enabled.

Regards,

Jorge

Re: ASA VPN Endpoint

andrew.prince — Tue, 13 Jan 2009 09:40:40 GMT

Jorge,

Sorry I am confused - your "outside" ip address is one of the:-

10/8

172.16/31

192.168/16

addresses ranges?

And the Inside has an Internet IP address?? Errrrmmmm I would personaly reverse it, have the internet address on the outside and the internal on the inside = the normal firewall setup and configuration.

HTH>

Re: ASA VPN Endpoint

noc — Fri, 16 Jan 2009 16:54:58 GMT

Hi Andrew:

Thank you for your comments. This is a special requirement, and as of now is working.

My question is if there is a special configuration required to accept VPNs in the INSIDE interface.

Regards,

Jorge

Re: ASA VPN Endpoint

andrew.prince — Sat, 17 Jan 2009 09:07:27 GMT

Jorge,

NO not really - the only config change that you need to make is:-

Instead of - crypto isakmp enable outside

you configure

crypto isakmp enable inside

This will allow VPN's to create/terminate on the inside interface.

HTH>