cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
176
Views
5
Helpful
6
Replies

ASA 5506x site to site vpn from inside network and not at the edge

jlinder
Beginner
Beginner

Does the asa have the ability to terminate a vpn using only its inside interface connected to a core switch? I understand the edge firewall would have to nat for the asa. I know the Meraki Mx can do this from anywhere inside a network. I just don't see any information on setting up a site to site tunnel on an asa that won't be using an outside interface. Has anyone had success doing this before?

1 Accepted Solution

Accepted Solutions

@jlinder if you have an ASA with one interface I assume that you have configured sub-interfaces, with traffic routed between sub-interfaces. Just terminate the VPN on the interface facing external, it doesn't need to be called "outside".

View solution in original post

6 Replies 6

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@jlinder You cannot route traffic through the outside interface and terminate the VPN on the inside interface, if that was your question? You terminate a VPN on the closest interface to the peer.

I do understand that portion. Every site to site vpn I have setup has been on the edge network where you have an inside and outside interface. But I have seen scenario's where someone connected an asa for a site to site tunnel that can get plugged anywhere on the LAN. That is where I get confused since there would be no outside interface. There is only the 1 uplink from asa to the switch.

@jlinder one physical but multiple sub-interfaces?

Yea perhaps that's the secret. Maybe you can have the outside setup as a sub interface on the same physical interface as long as they have separate security zones? Might be something I try out soon.

@jlinder if you have an ASA with one interface I assume that you have configured sub-interfaces, with traffic routed between sub-interfaces. Just terminate the VPN on the interface facing external, it doesn't need to be called "outside".

OK that makes perfect sense, not having to name the interface "outside" and using the sub-interfaces should do the trick. Thanks for the help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers