Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2654
Views
0
Helpful
7
Replies

ASA: can I have multiple subinterfaces with a separate VPN tunnel terminated on each sub?

Florin Andrei
Level 1
Level 1

‎03-01-2015 01:36 AM

I need to create VPN tunnels from the office to several VPCs in the cloud. I know an ASA could do it. The problem is, the provider wants me to terminate each tunnel on a different IP.

I know that I can create many subinterfaces on the public side on the ASA. But can I setup the VPN tunnels to terminate each on a different subinterface?

Labels:
0 Helpful
7 Replies 7

rizwanr74
Level 7
Level 7

‎03-01-2015 01:55 AM

Yes, you can.  As long as you have enabled on the given sub-interface isakmp.

 

interface GigabitEthernet0/0.1
 nameif outside1
 security-level 1
 ip address 1.1.1.1 255.255.255.252

 

crypto map CrypSub1 interface GigabitEthernet0/0.1

 

As you can see,  this crypto instance is CrypSub1 is map to subinterface GigabitEthernet0/0.1

 

Hope this answers your question.

Thanks

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to rizwanr74

‎03-01-2015 08:18 AM

it has to be 

crypto map CrypSub1 interface outside1

as the CMs are applied to the interface name and not the Hardware-ID.

From the original description it's still unclear if it will work. All subinterfaces should be configured with their own public IP-range and you need to get your routing working.

Better ask your provider why he wan't different IPs in this scenario. Doesn't seem to make any sense to me.

0 Helpful

rizwanr74
Level 7
Level 7
In response to Karsten Iwen

‎03-01-2015 08:41 AM

Good catch.

Yes, it has to be map to interface name.

 

0 Helpful

John.Syd.Aus
Level 1
Level 1
In response to rizwanr74

‎08-06-2015 04:49 PM

I understand the above loud and clear. That is different subinterfaces/IP's per VPN and having the different crypto maps binding to unique outside sub-interfaces. 

What about the scenario where multiple VPNs are required (each VPN terminating on a different sub-int IP) but using the same common AWS endpoint VPN IP?

VPN gateway/crypto endpoints:

AWS.ip X  <------> ASA sub-interface outside.vlan/IP Y 

AWS.ip X <-------> ASA sub-interface outside.vlan/IP Z

 

encrypted domains enclosed within brackets:

AWS.ip X (10.10.10.0/24)  <------> ASA sub-interface outside.vlan/IP Y (10.50.0.0/16)

AWS.ip X (20.20.20.0/24)<-------> ASA sub-interface outside.vlan/IP Z (10.50.0.0/16)

 

Is a solution possible for the above using the ASA in single context mode?

I'm thinking with the ASA routing it won't be possible as the route for the remote VPN crypto endpoint/gateway X will only be configured using a gateway belonging to either VLAN Y or Z.

I don't see any issue with ASA routing for the AWS encrypted subnets:

1. 10.10.10.0/24 will use vlan Y g/w

2. 20.20.20.0/24 will use vlan Z g/w

 

Hoping for some feedback/views on whether there is any way to get this working.

## Update - I received a response from the Cisco TAC to the scenario I detailed above. There is no solution within a single-context mode. However, there would be a solution running the ASA in multi-context mode.

0 Helpful

mandar.limaye1
Level 1
Level 1
In response to John.Syd.Aus

‎10-10-2015 06:51 AM

 

 

0 Helpful

Florin Andrei
Level 1
Level 1
In response to Karsten Iwen

‎03-10-2015 10:52 AM

It's an AWS limitation. When creating multiple tunnels from same device to different VPCs, they ask that the tunnels originate on different IP addresses.

 

https://aws.amazon.com/articles/5458758371599914

 

But it seems like the ASA supports VPN tunnels on sub-interfaces, so we should be okay.

0 Helpful

mandar.limaye1
Level 1
Level 1

‎10-10-2015 06:53 AM

.

0 Helpful
Customers Also Viewed These Support Documents