Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
25
Helpful
5
Replies

VPN-reachibility from one interface to one another interface

gln
Level 1
Level 1

‎10-21-2019 06:08 AM - edited ‎02-21-2020 09:36 AM

I want to establish RA-VPN. This I have successfully configured on the outside interface of our ASA-5508-X with FTD-image.
(and organized with FDM; no license for FMC).
But: on our WLAN-network, which is connected via another interface of our ASA, named airport; I want to realize VPN-connectivity too!

in the configuration there is a limitation of only one VPN-interface for ALL vpn-connections. How do I realize VPN-connectivity over both networks (outside and airport)? Background: Our WLAN has the same minor rights like our outside-connection. To reach our internal network it is necessary to do vpn. This should be possible for outside workers like inside workers (in the reachibility of our WLAN).
I tried different access-list aproaches, without success. This means: trying to reach the outside-interface over the airport-

interface. But this does not seem to work.

 

I appreciate any tips here

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Alfred Simonarson
Level 1
Level 1

‎11-29-2019 06:41 AM

I have the excact same issue, Cisco please help us as this was enabled on my clients old ASA (v8.2) and is crucial for their companys operation

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Alfred Simonarson

‎11-29-2019 10:13 PM

As of the current FTD release (6.5.0.1), Cisco only supports configuration of a single interface for SSL VPN when managing with Firepower Device Manager (FDM). The same applies when using Cisco Defense Orchestrator or CDO.

If you switch to Firepower Management Center (FMC) management you can configure multiple interfaces.

gln
Level 1
Level 1
In response to Marvin Rhoads

‎12-01-2019 11:21 PM

This means an additional license for 500 Dollars for two devices at the moment. This for a funcionality which is realized with our old ASA 5010 with the standard ios.

On the other side this is a  fine operating system, can updated within minutes - on the contrary, at our old cisco it is a special enterprise to update the system - fearing that the rules of the configuration will break - while the company depends on the internet connection. So please Cisco do something or in the future: sell this cisco with the necessary configuration tools!

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gln

‎12-02-2019 01:35 AM

To be fair, the old 5500 series ASA running 8.x software isn't protecting against 90% or more of current threats.

Until Cisco updates FTD to be able to support multiple interfaces for VPN when using FDM management, you could leave the ASA sitting in a DMZ connected to the FTD device(s) and get the multiple interface support there. It's a bit of a hack design-wise but it would work.

gln
Level 1
Level 1
In response to Marvin Rhoads

‎12-02-2019 01:50 AM

Hello Marvin,

 

thank you for this nice idea! In reality I will have some problems: Changing the  new firewall into productivity, which default configuration should rest on the old asa and in a condition that it works like figured out, and all this in a weekend when company activities are low. 

Oh yes there is Christmas coming... A few free days for my colleagues...

 

But I will  discuss this here, it seems to be a possible workaround. I really would feel better with the new cisco.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card