06-11-2009 02:56 PM
I have an ASA 5510 (8.2.1 code). I am setting up two separat IPSec tunnels to remote networks, but each remote connection to a respective ASA interface.
Question: I know that the e0/0 ("outside") interface's security level is 0. However, does the second interface, e0/2 ("out2") security level have to be set to 0 as well?
Thanks,
Jim
Solved! Go to Solution.
06-12-2009 08:40 AM
Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.
06-12-2009 06:37 AM
Jim-
0 is the default setting for the interface tagged 'outside'. You can change it if you like. That being said, your 'outside2' interface can be 0 or any other number. It should not matter to the IPSec tunnel what the security level is.
Hope that helps.
06-12-2009 08:33 AM
Collin - Would it be possible to create a site-to-site vpn endpoint on other ASA interfaces that are not the "outside" interface?
I have a need to have two VPN endpoints on the same ASA device but I need to use separate interfaces (e0/2 and e0/3).
I will still need to maintain Internet access to e0/0 (outside) for the network on e0/1 (inside).
It is not a requirement that the VPN endpoint networks on e0/2 and e0/3 connect to the Internet or "inside" networks...only each other (respectively).
06-12-2009 08:40 AM
Yes you can, just apply the respective crypto map to the interface. You might want to make e0/2 and e0/3 the same security level (if your security policy allows it) and same-security-traffic permit inter-interface. That permits communication between different interfaces that have the same security level. Then you can skip the whole NAT mess.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide