Re: ASA VPN Interface should be outside interface?

lydia.walther · ‎12-12-2008

Hey,

is it necessary that the interface what we want to use for vpn is simultaneous the outside-interface?

Or is it possible to have one outside-interface and another physical interface for vpn???

greetings

husycisco · ‎12-12-2008

Hello Lydia,

Sure you can have VPN terminated at every interface of firewall, with the proper routes for peers and NAT statements are added.

Regards

laptev.valery · ‎04-26-2010

you can allow VPN on inside interfa

ce too, you can put mark in the chekbox, in IPsec connections page(ASDM)

astripat · ‎04-27-2010

Hi Lydia,

You can terminate the vpn on any interface. Let's take the following example:

Router (Remote n/w 192.168.1.1/24)

|

ISP1 ISP2

2.2.2.2 3.3.3.3

| |

outside outside2

\ /

ASA

|

Inside

Let's say that we have established a L2L tunnel with a router and the network behind the router to which we want to talk is 192.168.1.1/24.

Now, on the ASA we have the default route as follows:

route outside 0 0 2.2.2.2

Now, if the cryptomap is applied on outside2 interface and the tunnel gets initiated from the remote router, the packet would reach the firewall, but when the reply goes, it checks the routing table and sends the packet towards outside interface and it gets dropped. So, we need to have a specific route fro the remote n/w as follows to make it work:

route outside2 192.168.1.0 255.255.255.0 3.3.3.3

HTH

Ashu.