03-01-2015 01:36 AM
I need to create VPN tunnels from the office to several VPCs in the cloud. I know an ASA could do it. The problem is, the provider wants me to terminate each tunnel on a different IP.
I know that I can create many subinterfaces on the public side on the ASA. But can I setup the VPN tunnels to terminate each on a different subinterface?
03-01-2015 01:55 AM
Yes, you can. As long as you have enabled on the given sub-interface isakmp.
interface GigabitEthernet0/0.1
nameif outside1
security-level 1
ip address 1.1.1.1 255.255.255.252
crypto map CrypSub1 interface GigabitEthernet0/0.1
As you can see, this crypto instance is CrypSub1 is map to subinterface GigabitEthernet0/0.1
Hope this answers your question.
Thanks
03-01-2015 08:18 AM
it has to be
crypto map CrypSub1 interface outside1
as the CMs are applied to the interface name and not the Hardware-ID.
From the original description it's still unclear if it will work. All subinterfaces should be configured with their own public IP-range and you need to get your routing working.
Better ask your provider why he wan't different IPs in this scenario. Doesn't seem to make any sense to me.
03-01-2015 08:41 AM
Good catch.
Yes, it has to be map to interface name.
08-06-2015 04:49 PM
I understand the above loud and clear. That is different subinterfaces/IP's per VPN and having the different crypto maps binding to unique outside sub-interfaces.
What about the scenario where multiple VPNs are required (each VPN terminating on a different sub-int IP) but using the same common AWS endpoint VPN IP?
VPN gateway/crypto endpoints:
AWS.ip X <------> ASA sub-interface outside.vlan/IP Y
AWS.ip X <-------> ASA sub-interface outside.vlan/IP Z
encrypted domains enclosed within brackets:
AWS.ip X (10.10.10.0/24) <------> ASA sub-interface outside.vlan/IP Y (10.50.0.0/16)
AWS.ip X (20.20.20.0/24)<-------> ASA sub-interface outside.vlan/IP Z (10.50.0.0/16)
Is a solution possible for the above using the ASA in single context mode?
I'm thinking with the ASA routing it won't be possible as the route for the remote VPN crypto endpoint/gateway X will only be configured using a gateway belonging to either VLAN Y or Z.
I don't see any issue with ASA routing for the AWS encrypted subnets:
1. 10.10.10.0/24 will use vlan Y g/w
2. 20.20.20.0/24 will use vlan Z g/w
Hoping for some feedback/views on whether there is any way to get this working.
## Update - I received a response from the Cisco TAC to the scenario I detailed above. There is no solution within a single-context mode. However, there would be a solution running the ASA in multi-context mode.
10-10-2015 06:51 AM
03-10-2015 10:52 AM
It's an AWS limitation. When creating multiple tunnels from same device to different VPCs, they ask that the tunnels originate on different IP addresses.
https://aws.amazon.com/articles/5458758371599914
But it seems like the ASA supports VPN tunnels on sub-interfaces, so we should be okay.
10-10-2015 06:53 AM
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide