Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23539
Views
36
Helpful
10
Replies

ASA Loopback Interfaces

Go to solution
paulhughes5
Level 1
Level 1

‎12-12-2016 09:19 AM - edited ‎03-12-2019 01:39 AM

Hi

I'm fairly new to the ASA platform after having spent the last few years on Juniper SRX.

As part of a new project we are looking to integrate some ASA5545s into a new L3VPN platform and as part of this I'd like to have traffic fail-over between sites using routing, the complication comes with how I want to handle IPSEC VPNs.

First question, do ASAs currently support loopback addresses in multi-context mode (if so where do you configure them)?

Second question, can these interfaces then be used to terminate a site to site IPSEC tunnel?

Any help welcome

Thanks

Paul

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-12-2016 11:46 AM

The ASA doesn't support the concept of loopback-interfaces. IPsec-VPNs are always terminated on the IP of the interface that protects the traffic.

View solution in original post

10 Replies 10

Go to solution
Karsten Iwen
VIP
VIP

‎12-12-2016 11:46 AM

The ASA doesn't support the concept of loopback-interfaces. IPsec-VPNs are always terminated on the IP of the interface that protects the traffic.

Go to solution
paulhughes5
Level 1
Level 1
In response to Karsten Iwen

‎12-13-2016 01:37 AM

Is there an alternative solution to allow the creation of logical interfaces I can advertise via routing protocols?

Go to solution
Karsten Iwen
VIP
VIP
In response to paulhughes5

‎12-13-2016 01:44 AM

No, if you need that flexibility four routing-integration, an IOS-router would be the best choice. The ASA is quite limited here.

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7

‎12-13-2016 02:25 AM

Do you want to implement a firewall service for l3vpn customers? In case you want to build a scalable multi-tenancy solution you might wanna look into ASAv and dedicate a virtual machine for each customer and offer redundancy using a 2nd asa for failover.

Let me know which problems you are trying to solve with your design - maybe there is a viable alternative to l3 failover mechanisms and ipsec failover (which could be achieved using backup peers btw).

regards

Oliver

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to Oliver Kaiser

‎12-14-2016 03:44 AM

Hi

I'm working with hardware that's already been purchased so a little stuck when it comes to swapping it out.

The idea is that a 3rd party customer will have a VPN to a single IP and that IP can move within our core to another firewall should the primary fail.  I cant use the external facing IP of the firewall as that will be a connected route to the up-steam router.

Trying to get customers to configure anything beyond a single IPSEC tunnel is hard enough without asking them to create backup peers or second paths so we are trying to solve it on our side.

Thanks

Paul

Go to solution
Karsten Iwen
VIP
VIP
In response to paulhughes5

‎12-14-2016 04:03 AM

The idea is that a 3rd party customer will have a VPN to a single IP and that IP can move within our core to another firewall should the primary fail.  I cant use the external facing IP of the firewall as that will be a connected route to the up-steam router.

So you have the wrong device for the right task ...

For a firewall failure, there is Active/Standby HA. If the active unit fails, the standby unit takes over the VPN. But the VPN still has to be terminated on the IP of the physical interface.

What about splitting the task of firewalling (which will be done by the ASA) and VPN?

0 Helpful

Go to solution
paulhughes5
Level 1
Level 1
In response to Karsten Iwen

‎12-14-2016 04:52 AM

Hi

I'm not trying to deal with failure in the same site, this is cross site.

The theory being that a customer connects to DC1 in normal operation to access their services in an L3VPN which can span multiple locations.  If the firewall in DC1 goes down for any reason I want the IPSEC tunnel to come into a firewall in DC2 which connects to the same L3VPN 'cloud'

I have tried to create a 'dummy' interface and direct traffic to that however it seems the ASA won't allow you to route to the physical IP of one interface from another.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to paulhughes5

‎12-14-2016 05:07 AM

I understand what you want, but no, that's all not supported on the ASA itself. You could try to automate things through scripting, but that would also be a highly dirty solution because it had to be done on both sides of the tunnel. Be aware that another limitation is that the ASA only does policy-based VPNs, not route-based VPNs.

The ASA is a great device for Remote-Access VPNs, but for highly scalable S2S VPNs, a router is the better choice.

Go to solution
paulhughes5
Level 1
Level 1
In response to Karsten Iwen

‎12-14-2016 07:43 AM

Thanks, missing my SRXs already :D

Go to solution
WHindriks
Level 1
Level 1
In response to Karsten Iwen

‎03-13-2017 07:06 AM

Support for routebased VPNs has been added in ASA 9.7:

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

Source:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html#ID-2172-00000128

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card