topic VPN-reachibility from one interface to one another interface in Network Security

VPN-reachibility from one interface to one another interface

gln — Fri, 21 Feb 2020 17:36:43 GMT

I want to establish RA-VPN. This I have successfully configured on the outside interface of our ASA-5508-X with FTD-image.
(and organized with FDM; no license for FMC).
But: on our WLAN-network, which is connected via another interface of our ASA, named airport; I want to realize VPN-connectivity too!

in the configuration there is a limitation of only one VPN-interface for ALL vpn-connections. How do I realize VPN-connectivity over both networks (outside and airport)? Background: Our WLAN has the same minor rights like our outside-connection. To reach our internal network it is necessary to do vpn. This should be possible for outside workers like inside workers (in the reachibility of our WLAN).
I tried different access-list aproaches, without success. This means: trying to reach the outside-interface over the airport-

interface. But this does not seem to work.

I appreciate any tips here

Re: VPN-reachibility from one interface to one another interface

Alfred Simonarson — Fri, 29 Nov 2019 14:41:49 GMT

I have the excact same issue, Cisco please help us as this was enabled on my clients old ASA (v8.2) and is crucial for their companys operation

Re: VPN-reachibility from one interface to one another interface

Marvin Rhoads — Sat, 30 Nov 2019 06:13:16 GMT

As of the current FTD release (6.5.0.1), Cisco only supports configuration of a single interface for SSL VPN when managing with Firepower Device Manager (FDM). The same applies when using Cisco Defense Orchestrator or CDO.

If you switch to Firepower Management Center (FMC) management you can configure multiple interfaces.

Re: VPN-reachibility from one interface to one another interface

gln — Mon, 02 Dec 2019 07:21:15 GMT

This means an additional license for 500 Dollars for two devices at the moment. This for a funcionality which is realized with our old ASA 5010 with the standard ios.

On the other side this is a fine operating system, can updated within minutes - on the contrary, at our old cisco it is a special enterprise to update the system - fearing that the rules of the configuration will break - while the company depends on the internet connection. So please Cisco do something or in the future: sell this cisco with the necessary configuration tools!

Re: VPN-reachibility from one interface to one another interface

Marvin Rhoads — Mon, 02 Dec 2019 09:35:02 GMT

To be fair, the old 5500 series ASA running 8.x software isn't protecting against 90% or more of current threats.

Until Cisco updates FTD to be able to support multiple interfaces for VPN when using FDM management, you could leave the ASA sitting in a DMZ connected to the FTD device(s) and get the multiple interface support there. It's a bit of a hack design-wise but it would work.

Re: VPN-reachibility from one interface to one another interface

gln — Mon, 02 Dec 2019 09:50:58 GMT

Hello Marvin,

thank you for this nice idea! In reality I will have some problems: Changing the new firewall into productivity, which default configuration should rest on the old asa and in a condition that it works like figured out, and all this in a weekend when company activities are low.

Oh yes there is Christmas coming... A few free days for my colleagues...

But I will discuss this here, it seems to be a possible workaround. I really would feel better with the new cisco.