IPSEC VPN termination on different ip

christian-goedhart · ‎08-13-2018

Hi,

On my asa i have a outside ip address on the outside interface. And i have a subnet routed to said IP. Is it possible for me to use one of the routed ip addresses as gateway for the VPN tunnels? I know you can't make loopback addresses on an ASA but i was wondering if there is a different solution.

Example

interface GigabitEthernet1/1
nameif outside
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2

interface Loopback1

nameif VPN

ip address 2.2.2.1 255.255.255.255

crypto map outside_map interface VPN

Except i can't create Loopbacks on an ASA

Dennis Mink · ‎08-14-2018

Typically what happens is that you use the public ip address on the outside interface your vpn termination point. and open that IP address for esp and isakmp. is there any particular reason why you want to terminate on a different public IP?

Please remember to rate useful posts, by clicking on the stars below.

christian-goedhart · ‎08-14-2018

The reason is that there is a migration of firewalls. We are moving from a single firewall to a cluster. We did not have a spare ip address in the range to set as a standby address so we changed the outside ip range to one where we had a spare ip address en routed the block that was on the firewall to the new ip address.

We want to terminate on the same ip address that was on the old firewall so we don't have inform all the other parties of the ip change.

Mohammed al Baqari · ‎08-14-2018

You can't terminate VPN on another interface of the ASA. This won't work
for other reasons.