Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2099
Views
20
Helpful
6
Replies

ASA VPN Interface

Go to solution
Mokhalil82
Level 4
Level 4

‎08-20-2019 02:52 AM

Hi

We have an ASA firewall in a HA setup and currently are moving over to a new internet circuit that is provided by the Data Centre. Previously the Public range extended out to the next hop address so the VPNs terminated on the outside interface.

However now the DC have provided a new public range for us to use which will sit inside the firewall, however the outside interface is on a different subnet for the point to point to the internet. 

So my question is:

1. When configuring IPSEC VPNs, do they need to terminate on a physical interface, which would mean I would have to use the outside interface IP which is on a different subnet from my actual public range, or can I use an IP from the new range provided (even if it means configuring a loopback for VPN peer)

 

I would like to use an IP from the new range so in the future if we ever need to move internet providers, I don't want to be changing the VPN peer address.

 

Thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Mokhalil82

‎08-21-2019 04:25 AM

No I don't see that is possible. You cannot connect through one ASA interface (outside) to another ASA interface, that's by design. I quickly labbed the scenrario you described above and received the following error, which I believe confirms my initial thoughts.

%ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:3.3.3.1/500 to 11.11.11.1/500

The scenario you are describing is possible on IOS routers, where you could define a loopback. As mentioned previously ASA's don't support loopback interfaces.

I can think of a few alternative options for you. Place a router in front of the ASA using the IP address of the current ASA interfaces', re-ip address the ASA with the new IP addresses and then terminate the VPN's. Or alternatively place a router or another ASA in a DMZ interface of the current ASA and utilise the new ip address range.

HTH

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-20-2019 03:00 AM

Hi,
IKEv1/IKEv2 is enabled on the interface of the ASA, unfortunately this means you can only terminate a VPN connection on the IP address assigned to the ASA's interface. You would need to re-IP address the ASA if you wanted to utilise the new IP addresses.

HTH

Go to solution
Mokhalil82
Level 4
Level 4
In response to Rob Ingram

‎08-21-2019 02:39 AM

Hi

 

What if I use a separate physical interface on the ASA other than the Outside interface as the VPN termination, so that the outside interface is the point to point to the DC, then another physical interface is assigned an IP from our public range and the port is connected to the external switch so that it stays up.

 

In that case how does the traffic flow work for VPNs. Does it come into the ASA on the outside interface, then internally on the ASA hit the VPN interface, in which case is the VPN on the inside of the VPN interface?

 

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mokhalil82

‎08-21-2019 04:25 AM

No I don't see that is possible. You cannot connect through one ASA interface (outside) to another ASA interface, that's by design. I quickly labbed the scenrario you described above and received the following error, which I believe confirms my initial thoughts.

%ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:3.3.3.1/500 to 11.11.11.1/500

The scenario you are describing is possible on IOS routers, where you could define a loopback. As mentioned previously ASA's don't support loopback interfaces.

I can think of a few alternative options for you. Place a router in front of the ASA using the IP address of the current ASA interfaces', re-ip address the ASA with the new IP addresses and then terminate the VPN's. Or alternatively place a router or another ASA in a DMZ interface of the current ASA and utilise the new ip address range.

HTH

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Rob Ingram

‎08-21-2019 01:55 PM

Right - traffic cannot come into an interface of an ASA and be terminated on a different interface of the same ASA. That's by design and cannot be changed. 

Go to solution
Elter
Level 4
Level 4
In response to Rob Ingram

‎07-31-2020 05:53 AM

Just wondering if should work if is configured with "same-security-traffic permit inter-interface" and configure an inbound NAT on the 1st(old) outside interface were the traffic still arrives pointing to the new IP configured on a 2nd(new) outside interface?

thanks

Regards

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-20-2019 05:16 AM

ASA's don't have loopback addresses; but since 9.7(1) they do have Virtual Tunnel Interface (VTI) support. You might be able to make it work using that.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents