cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
985
Views
0
Helpful
5
Replies

VPN ---> FW ASA

Amafsha1
Level 2
Level 2

Here is a configuration:

 

VPN-ASA#

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 172.25.2.6 255.255.255.0

!

S* 0.0.0.0 0.0.0.0 [1/0] via 172.25.2.2, outside

 

------------------------------------------------------------------

 

FW-ASA#

interface Port-channel11.1045
nameif Inside
security-level 100
ip address 172.25.2.2 255.255.255.0 standby 172.25.2.22

 

 

 

 

 

please correct me If I'm wrong, but it seems that the VPN outside interface is in the same subnet as the inside interface of the FW and there is a static default route on the VPN-ASA that is pointing to the inside interface of the FW.  Does this mean that anything destined to go 'outside' for VPN, will end up going through the inside interface of the FW?  So everything destined to outside of the VPN from the VPN must go through the FW?

1 Accepted Solution

Accepted Solutions

What you have posted does suggest that vpn asa outside interface connects to a switch which does connect to fw asa inside interface. Can you confirm that this is true? In this case it is logical that the default route on vpn asa does point to fw asa as next hop. And it does mean that anything from vpn asa going to outside must go through fw asa.

 

HTH

 

Rick

HTH

Rick

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Can you provide some clarification about the topology here? Are there 2 ASA? What interfaces are in the port channel and does G0/0 connect to something that is connected to that port channel?

 

This kind of configuration would make sense if there were an ASA on the perimeter of the network to provide firewall functions for the network and if there were a second ASA connected inside the perimeter ASA to provide VPN functions. Is this the way that your network is set up?

 

HTH

 

Rick 

HTH

Rick

Hey Richard, good to hear from you!

I still don't think I'm givining you enough info, my apologies for that but I'll try my best. These are 2 different ASAs.
the FW is 5585x and the VPN is ASA5540....if that's what you're asking.


This is the best command I could find for interface detail...unless you know a better one I would be happy to share.


FW-ASA# sh int Port-channel11.1045 detail - connects to our internet switch on trunks
Interface Port-channel11.1045 "Inside", is up, line protocol is up
MAC address a21f.1400.0006, MTU 1500
IP address 172.25.2.2, subnet mask 255.255.255.0
Traffic Statistics for "Inside":
85812451455 packets input, 27133113639926 bytes
101692374599 packets output, 69885391786898 bytes
14492627992 packets dropped
Control Point Interface States:
Interface number is 2
Interface config status is active
Interface state is active
Control Point Vlan1045 States:
Interface vlan config status is active
Interface vlan state is UP

 


VPNASA# sh run int g0/0
!
interface GigabitEthernet0/0 - connects directly to our core switch on vlan1025
speed 1000
duplex full
nameif outside
security-level 0
ip address 172.25.2.6 255.255.255.0
B6-VPNASA# sh run int g0/1
!
interface GigabitEthernet0/1 - connects diretly to our core on vlan 2
speed 1000
duplex full
nameif inside
security-level 100
ip address 172.28.250.200 255.255.255.0


Core and internet switch are directly connected to eachother via trunk.  and yes, I believe this is a perimiter fw since it's connected to the same switch where our internet circuit is.  It directs all traffic heading outside or coming from the outside. 

What you have posted does suggest that vpn asa outside interface connects to a switch which does connect to fw asa inside interface. Can you confirm that this is true? In this case it is logical that the default route on vpn asa does point to fw asa as next hop. And it does mean that anything from vpn asa going to outside must go through fw asa.

 

HTH

 

Rick

HTH

Rick

I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information.

 

HTH

 

Rick

HTH

Rick

Thanks, always glad to hear from you Richard. 

Review Cisco Networking for a $25 gift card