02-08-2020 06:14 PM
Hi All,
I’ve been tshooting an issue for an older environment and wanted to run past the theory with what I was thinking the issue was as not that familiar with dynamic maps on an ASA.
**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet facing interface called outside.
Is it possible to re-use the same dynamic map on another interface. Would it cause a problem with the current 'outside-map' configuration (below) if I created a new crypto-map for example 'wan-map' and added the same dynamic map.
**Config -**
crypto dynamic-map dynamicmap 10 set pfs
crypto dynamic-map dynamicmap 10 set ikev1 transform-set AES128SHA
crypto dynamic-map dynamicmap 10 set reverse-route
crypto dynamic-map dynamicmap 20 set ikev2 ipsec-proposal AES128SHA
crypto dynamic-map dynamicmap 20 set reverse-route
crypto dynamic-map dynamicmap 65535 set pfs
crypto dynamic-map dynamicmap 65535 set ikev1 transform-set AES128SHA
crypto dynamic-map dynamicmap 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto dynamic-map dynamicmap 65535 set reverse-route
crypto map outside (SITE TO SITE VPNS are here removed as irrelevent) <-----------------------
crypto map outside-map 65535 ipsec-isakmp dynamic dynamicmap
crypto map outside-map interface outside
crypto ikev2 enable outside
crypto ikev2 enable wan
crypto ikev2 remote-access trustpoint ASDM\_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 enable wan
crypto ikev1 policy 5
Thanks in advanced.
02-08-2020 08:31 PM
**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet-facing interface called outside.
BB - Trying to understand the issue you have mentioned, Do you have 2 outgoing paths and connected to the internet (using outside interface and WAN Interface?
or only 1 Internet connection that is terminated to the internet that is outside?
if you have only 1 internet connection, then you need to terminate the VPN using that link and segment the network to your WAN resources only.
02-09-2020 03:14 AM - edited 02-09-2020 03:16 AM
Hello one outside (internet facing) and one wan mpls interface on an asa. Working with a dynamic map on the outside (internet facing) but needing to replicate it to the other interface without affecting the current. As we need to be able to connect to the wan interface on the asa for ipsec connections.
@balaji.bandi wrote:**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet-facing interface called outside.
BB - Trying to understand the issue you have mentioned, Do you have 2 outgoing paths and connected to the internet (using outside interface and WAN Interface?
or only 1 Internet connection that is terminated to the internet that is outside?
if you have only 1 internet connection, then you need to terminate the VPN using that link and segment the network to your WAN resources only.
02-09-2020 04:47 AM
Hi,
Yes you can enable RAVPN on multiple interfaces. You may need to add the appropriate NAT exemption rule to ensure the RAVPN network is not natted to/from the WAN interface. If use ASDM to enable IPSec on another interface, it would usually create another Dynamic Crypto Map - you can just change this to use the existing. Beware changing a dynamic crypto map seems to drop existing connections, so may want to make the change out of hours/in a change window.
HTH
02-10-2020 01:17 AM
Thanks for the advice i'll give it a try OOO.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide