We have an ASA firewall in a HA setup and currently are moving over to a new internet circuit that is provided by the Data Centre. Previously the Public range extended out to the next hop address so the VPNs terminated on the outside interface.
However now the DC have provided a new public range for us to use which will sit inside the firewall, however the outside interface is on a different subnet for the point to point to the internet.
So my question is:
1. When configuring IPSEC VPNs, do they need to terminate on a physical interface, which would mean I would have to use the outside interface IP which is on a different subnet from my actual public range, or can I use an IP from the new range provided (even if it means configuring a loopback for VPN peer)
I would like to use an IP from the new range so in the future if we ever need to move internet providers, I don't want to be changing the VPN peer address.
Solved! Go to Solution.
What if I use a separate physical interface on the ASA other than the Outside interface as the VPN termination, so that the outside interface is the point to point to the DC, then another physical interface is assigned an IP from our public range and the port is connected to the external switch so that it stays up.
In that case how does the traffic flow work for VPNs. Does it come into the ASA on the outside interface, then internally on the ASA hit the VPN interface, in which case is the VPN on the inside of the VPN interface?
Right - traffic cannot come into an interface of an ASA and be terminated on a different interface of the same ASA. That's by design and cannot be changed.
ASA's don't have loopback addresses; but since 9.7(1) they do have Virtual Tunnel Interface (VTI) support. You might be able to make it work using that.