https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914293#M956398 <HTML><HEAD></HEAD><BODY><P>what about if my outside interface is not directly connected to the internet. My outside interface in my ASA5500 is conected to the ISP router but the ISP give me a 10.x.x.x/32 subnet.</P><P>The ISP routers forward to my firewall the subnet with the publict ip's.</P><P></P><P></P></BODY></HTML> Thu, 06 Mar 2008 14:09:26 GMT Rafael Jimenez 2008-03-06T14:09:26Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914291#M956392 <P>I have the following configuration in an ASA5505-SEC-BUN-K8:</P><P>!</P><P>interface Vlan1</P><P> nameif Servers</P><P> security-level 100</P><P> ip address 192.168.80.1 255.255.255.0 </P><P>!</P><P>interface Vlan10</P><P> nameif internet</P><P> security-level 0</P><P> ip address 10.0.11.99 255.255.0.0 </P><P>!</P><P>!</P><P>interface Vlan90</P><P> nameif huespedes</P><P> security-level 40</P><P> ip address 192.168.90.1 255.255.255.0 </P><P>!</P><P>interface Vlan201</P><P> nameif dmz</P><P> security-level 50</P><P> ip address 201.245.184.225 255.255.255.224 </P><P>!</P><P>interface Vlan254</P><P> nameif bogota</P><P> security-level 100</P><P> ip address 192.168.252.2 255.255.255.252 </P><P>!</P><P>I would like to know on which interface has to enable the vpn ;</P><P>crypto map ?????_map interface ????</P><P>crypto isakmp enable ?????</P><P>My outside interface is called internet.</P><P>If i have 30 public ips and the dmz vlan is using one of this public ip's , how need setup my vpn access?.</P><P>Thanks</P> Mon, 11 Mar 2019 11:53:15 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914291#M956392 Rafael Jimenez 2019-03-11T11:53:15Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914292#M956394 <HTML><HEAD></HEAD><BODY><P>I would recommend that you apply the crypto map on the interface where your default route is pointing to. The reason is, for Remote Access VPN, the user would be coming from any source IP and for the ASA to route the packets back to the VPN Client, a default route will scale much better. </P><P></P><P>Regards,</P><P>Arul</P><P></P><P>** Please rate all helpful posts **</P></BODY></HTML> Thu, 24 Jan 2008 22:40:59 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914292#M956394 ajagadee 2008-01-24T22:40:59Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914293#M956398 <HTML><HEAD></HEAD><BODY><P>what about if my outside interface is not directly connected to the internet. My outside interface in my ASA5500 is conected to the ISP router but the ISP give me a 10.x.x.x/32 subnet.</P><P>The ISP routers forward to my firewall the subnet with the publict ip's.</P><P></P><P></P></BODY></HTML> Thu, 06 Mar 2008 14:09:26 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914293#M956398 Rafael Jimenez 2008-03-06T14:09:26Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914294#M956400 <HTML><HEAD></HEAD><BODY><P>In that case you will not be able to terminate the Remote access VPN's on the firewall unless the ISP NAT's one of your public ip's to your external interface of your ASA.</P><P></P><P>The only other way around this will be to use some of your public address space on the network between the firewall and ISP router.</P></BODY></HTML> Thu, 06 Mar 2008 14:45:24 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914294#M956400 brettmilborrow 2008-03-06T14:45:24Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914295#M956401 <HTML><HEAD></HEAD><BODY><P></P><P></P><P> you will enable on the internet.</P></BODY></HTML> Fri, 07 Mar 2008 07:11:10 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914295#M956401 onlyabhishek007 2008-03-07T07:11:10Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914296#M956403 <HTML><HEAD></HEAD><BODY><P>if I select the isp NAT option, how need setup the ASA to avoid the NAT-IPSEc issue?.</P><P>thanks.</P></BODY></HTML> Fri, 07 Mar 2008 14:28:35 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914296#M956403 Rafael Jimenez 2008-03-07T14:28:35Z https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914297#M956406 <HTML><HEAD></HEAD><BODY><P>You need to enable nat traversal with the following command:</P><P></P><P>"isakmp nat-traversal"</P><P></P><P>Good Luck!</P></BODY></HTML> Fri, 07 Mar 2008 23:33:52 GMT https://community.cisco.com/t5/network-security/remote-access-vpn/m-p/914297#M956406 brettmilborrow 2008-03-07T23:33:52Z