cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

242
Views
0
Helpful
1
Replies
Highlighted
Beginner

Multiple ASA Remote Access VPN to ISE IPEP

After numerous conversations with Cisco Account team and Cisco AS that configuring multiple ASAs to go through a single IPEP was not an issue and would not require reconfiguration rebuilding of the addressing on the units. 

It appears from the example I have seen for a single ASA that it is expecting the inside interface to be in the same subnet as the untrusted interface of the IPEP.  This is where out problem comes in, the two VPNs have different inside interface subnets.

We were original told/lead to believe that the IPEP could have multiple untrusted interfaces(sub-interfaces) by Cisco AS, this was not tested in the original pilot. 

This is not a show stopper, I am just wondering if anyone had faced this and what their recommendations were.

Thank you,

Rich   

1 REPLY 1
Highlighted
Beginner

Multiple ASA Remote Access VPN to ISE IPEP

I can see the scenario you are describing working. As long as the ASA inside interfaces and the untrusted interface of the IPEP are on the same subnet/vlan.

The main show stopper for the multiple ASA to one IPEP is the MAC addressing. As the nature of data traversal, the last interface the data goes through stirps the previous MAC from the packet and replaces it with its own MAC. The MAC of the ASA is what the IPEP filters on, so if the data has to traverse ANY other interface the IPEP would not see the correct MAC.

We were hoping to do the same with an ASA in the US, and an ASA in the UK, because the sites are linked via VNP tunnel. But came to the realization that the different hops between would be impossible for the IPEP to work.