Solved: Cisco ASA Site-to-Site VPN

MattMH · ‎03-05-2024

I have a 2-part question for setting up a site-to-site VPN with a vendor.

Question 1

We have /28 subnet assigned to us from our ISP. Our ASA is using .2 and our default route is .1 to the ISP. I do not want to set this site-to-site VPN up using our .2 IP address. I'd like to use a .10 IP address. When I am working through the site-to-site VPN wizard, I can only choose the interface assigned to "outside". Is there any way, maybe through CLI, that I can use a.10 IP address for the site-to-site VPN? If so, would I need to create an object, or not necessary?

Question 2

The vendor (this is an AWS peer) can BGP peer with my ASA via the tunnel, but I really do not want to redist to them our entire route table. Since I can't run 2 separate BGP AS's on the ASA, should I just stick with static routes between us and them? Any recommendations?

Rob Ingram · ‎03-05-2024

@MattMH from ASA 9.19 you can use loopback interfaces for a VPN (VTI only), but that would have to be a different routed public subnet to the physical outside interface. Other than that you have to use the interface (outside) IP address to terminate a VPN.

You can use statics or filter what routes are redistributed via BGP to AWS.

View solution in original post

Rob Ingram · ‎03-05-2024

@MattMH from ASA 9.19 you can use loopback interfaces for a VPN (VTI only), but that would have to be a different routed public subnet to the physical outside interface. Other than that you have to use the interface (outside) IP address to terminate a VPN.

You can use statics or filter what routes are redistributed via BGP to AWS.

MattMH · ‎03-07-2024

Thanks @Rob Ingram. I was able to get this working in a lab as expected using distribution lists for the BGP peer in AWS.