Multiple ASA Remote Access VPN to ISE IPEP

frabonir · ‎05-29-2013

After numerous conversations with Cisco Account team and Cisco AS that configuring multiple ASAs to go through a single IPEP was not an issue and would not require reconfiguration rebuilding of the addressing on the units.

It appears from the example I have seen for a single ASA that it is expecting the inside interface to be in the same subnet as the untrusted interface of the IPEP. This is where out problem comes in, the two VPNs have different inside interface subnets.

We were original told/lead to believe that the IPEP could have multiple untrusted interfaces(sub-interfaces) by Cisco AS, this was not tested in the original pilot.

This is not a show stopper, I am just wondering if anyone had faced this and what their recommendations were.

Thank you,

Rich

dirkmelvin · ‎06-01-2013

I can see the scenario you are describing working. As long as the ASA inside interfaces and the untrusted interface of the IPEP are on the same subnet/vlan.

The main show stopper for the multiple ASA to one IPEP is the MAC addressing. As the nature of data traversal, the last interface the data goes through stirps the previous MAC from the packet and replaces it with its own MAC. The MAC of the ASA is what the IPEP filters on, so if the data has to traverse ANY other interface the IPEP would not see the correct MAC.

We were hoping to do the same with an ASA in the US, and an ASA in the UK, because the sites are linked via VNP tunnel. But came to the realization that the different hops between would be impossible for the IPEP to work.