ASA dynamic map RA VPN

georgehewittuk1 · ‎02-08-2020

Hi All,

I’ve been tshooting an issue for an older environment and wanted to run past the theory with what I was thinking the issue was as not that familiar with dynamic maps on an ASA.

**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet facing interface called outside.

Is it possible to re-use the same dynamic map on another interface. Would it cause a problem with the current 'outside-map' configuration (below) if I created a new crypto-map for example 'wan-map' and added the same dynamic map.

**Config -**

crypto dynamic-map dynamicmap 10 set pfs

crypto dynamic-map dynamicmap 10 set ikev1 transform-set AES128SHA

crypto dynamic-map dynamicmap 10 set reverse-route

crypto dynamic-map dynamicmap 20 set ikev2 ipsec-proposal AES128SHA

crypto dynamic-map dynamicmap 20 set reverse-route

crypto dynamic-map dynamicmap 65535 set pfs

crypto dynamic-map dynamicmap 65535 set ikev1 transform-set AES128SHA

crypto dynamic-map dynamicmap 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto dynamic-map dynamicmap 65535 set reverse-route

crypto map outside (SITE TO SITE VPNS are here removed as irrelevent) <-----------------------

crypto map outside-map 65535 ipsec-isakmp dynamic dynamicmap

crypto map outside-map interface outside

crypto ikev2 enable outside

crypto ikev2 enable wan

crypto ikev2 remote-access trustpoint ASDM\_TrustPoint1

crypto ikev1 enable outside

crypto ikev1 enable wan

crypto ikev1 policy 5

Thanks in advanced.

balaji.bandi · ‎02-08-2020

**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet-facing interface called outside.

BB - Trying to understand the issue you have mentioned, Do you have 2 outgoing paths and connected to the internet (using outside interface and WAN Interface?

or only 1 Internet connection that is terminated to the internet that is outside?

if you have only 1 internet connection, then you need to terminate the VPN using that link and segment the network to your WAN resources only.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

georgehewittuk1 · ‎02-09-2020

Hello one outside (internet facing) and one wan mpls interface on an asa. Working with a dynamic map on the outside (internet facing) but needing to replicate it to the other interface without affecting the current. As we need to be able to connect to the wan interface on the asa for ipsec connections.

@balaji.bandi wrote:
**Problem statement** – Can’t connect to IPSEC remote access from another interface other than the outside (internet interface we use.) Needing this access long story due to a change in a branch needing to come via the internal interface on the WAN. So the goal here is to allow IPSEC RA to work from the WAN interface rather than the internet-facing interface called outside.

BB - Trying to understand the issue you have mentioned, Do you have 2 outgoing paths and connected to the internet (using outside interface and WAN Interface?
or only 1 Internet connection that is terminated to the internet that is outside?

if you have only 1 internet connection, then you need to terminate the VPN using that link and segment the network to your WAN resources only.

Rob Ingram · ‎02-09-2020

Hi,

Yes you can enable RAVPN on multiple interfaces. You may need to add the appropriate NAT exemption rule to ensure the RAVPN network is not natted to/from the WAN interface. If use ASDM to enable IPSec on another interface, it would usually create another Dynamic Crypto Map - you can just change this to use the existing. Beware changing a dynamic crypto map seems to drop existing connections, so may want to make the change out of hours/in a change window.

HTH

georgehewittuk1 · ‎02-10-2020

Thanks for the advice i'll give it a try OOO.