Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
2
Replies

Configure ASA5510 for L2L VPN not using outside interface problem.

kevin.woodhouse
Level 1
Level 1

‎04-03-2013 08:19 AM

All,

I currently have an ASA5510 with 2 interfaces (outside and Inside) running remote VPN for clients and L2L VPN for a couple of sites. I have traffic entering the inside interface, matching interesting traffic, being wrapped up in IKE / IPSEC and sent out via the outside interface. All straightforward so far.

Now I have a new VPN which is required to go over another interface and not the outside. The traffic comes in to the inside interface as normal and should be matched via ACL, encrypted and sent out th e new interface however the traffic is simply sent out of the outside interface and doesn't get any IKE headers. If I reconfigure the interface to be be the outside it does at least match the ACL, wrap it up nicely in IKE and try to get to get to the remote peer.

My questions are why does this behaviour occur and why isnt the traffic marked interesting and sent out the new interface.

I don't have any issues creating a new VPN if I want it to go external, I just add the required information to the outside_map but i need the traffic to be encrypted and sent over another interface. I not a huge fan of the GUI for this but I've tried both CLI and GUI with the same results.

Regards

Kevin.        

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎04-03-2013 08:37 AM

I would suggest sharing some more specific information.

To be honest I havent had the need to configure VPN on a single ASA for multiple interfaces.

I would imagine that you would have to confirm that

  • The remote peer IP is routed through the "new" interface
  • The remote network is routed through the "new" interface. The "set reverse-route" in the crypto map configurations might even handle this
  • Make sure that the NAT configured between "inside" and "new" interface matches with the interesting traffic for the new VPN
  • Make sure that the VPN configurations have been applied to the "new" interface also.

- Jouni

0 Helpful

kevin.woodhouse
Level 1
Level 1
In response to Jouni Forss

‎04-04-2013 12:55 AM

Thanks for your reply, appreciate that. There are some suggesstions I can use from the above post. I'll try hand coding this again too as most people advise not using the GUI. Its a frustrating configuration in that it encapsulates the intersting traffic if I send the traffic over the outside interface, when I choose to use another interface the traffic just goes out as an ICMP request, therefore not marking the traffic as interesting and trying phase1.

Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents