cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
188
Views
20
Helpful
5
Replies
Enthusiast

ASA VPN Interface

Hi

We have an ASA firewall in a HA setup and currently are moving over to a new internet circuit that is provided by the Data Centre. Previously the Public range extended out to the next hop address so the VPNs terminated on the outside interface.

However now the DC have provided a new public range for us to use which will sit inside the firewall, however the outside interface is on a different subnet for the point to point to the internet. 

So my question is:

1. When configuring IPSEC VPNs, do they need to terminate on a physical interface, which would mean I would have to use the outside interface IP which is on a different subnet from my actual public range, or can I use an IP from the new range provided (even if it means configuring a loopback for VPN peer)

 

I would like to use an IP from the new range so in the future if we ever need to move internet providers, I don't want to be changing the VPN peer address.

 

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA VPN Interface

No I don't see that is possible. You cannot connect through one ASA interface (outside) to another ASA interface, that's by design. I quickly labbed the scenrario you described above and received the following error, which I believe confirms my initial thoughts.

%ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:3.3.3.1/500 to 11.11.11.1/500

The scenario you are describing is possible on IOS routers, where you could define a loopback. As mentioned previously ASA's don't support loopback interfaces.

I can think of a few alternative options for you. Place a router in front of the ASA using the IP address of the current ASA interfaces', re-ip address the ASA with the new IP addresses and then terminate the VPN's. Or alternatively place a router or another ASA in a DMZ interface of the current ASA and utilise the new ip address range.

HTH
5 REPLIES 5
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA VPN Interface

Hi,
IKEv1/IKEv2 is enabled on the interface of the ASA, unfortunately this means you can only terminate a VPN connection on the IP address assigned to the ASA's interface. You would need to re-IP address the ASA if you wanted to utilise the new IP addresses.

HTH
Enthusiast

Re: ASA VPN Interface

Hi

 

What if I use a separate physical interface on the ASA other than the Outside interface as the VPN termination, so that the outside interface is the point to point to the DC, then another physical interface is assigned an IP from our public range and the port is connected to the external switch so that it stays up.

 

In that case how does the traffic flow work for VPNs. Does it come into the ASA on the outside interface, then internally on the ASA hit the VPN interface, in which case is the VPN on the inside of the VPN interface?

 

Thanks

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASA VPN Interface

No I don't see that is possible. You cannot connect through one ASA interface (outside) to another ASA interface, that's by design. I quickly labbed the scenrario you described above and received the following error, which I believe confirms my initial thoughts.

%ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:3.3.3.1/500 to 11.11.11.1/500

The scenario you are describing is possible on IOS routers, where you could define a loopback. As mentioned previously ASA's don't support loopback interfaces.

I can think of a few alternative options for you. Place a router in front of the ASA using the IP address of the current ASA interfaces', re-ip address the ASA with the new IP addresses and then terminate the VPN's. Or alternatively place a router or another ASA in a DMZ interface of the current ASA and utilise the new ip address range.

HTH
Hall of Fame Master

Re: ASA VPN Interface

Right - traffic cannot come into an interface of an ASA and be terminated on a different interface of the same ASA. That's by design and cannot be changed. 

Highlighted
Hall of Fame Master

Re: ASA VPN Interface

ASA's don't have loopback addresses; but since 9.7(1) they do have Virtual Tunnel Interface (VTI) support. You might be able to make it work using that.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html