Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
2
Replies

ASA multiple IPs in same subnet

kitt001
Level 1
Level 1

‎01-31-2019 11:16 AM

Let me preface my question with the fact that I realize what I want to do may not be possible … but I'm hoping I'm just not looking at it correctly, and someone here can point me in the right direction.

 

I run several ASAs to connect a ton of l2l VPNs, and I am now having to readdress all of the VPNs due to a change in up stream connectivity.  In my current configurations, I have many remote VPNs pointed to the primary outside address of each peer on my side, which was initially done because of a shortage of public addresses and because generally it works that way.  As I periodically need to shuffle my end of the tunnels from one ASA to another, however, this requires getting customers involved and that makes the process very complicated even when it's just for our own internal maintenance.  The VPNs themselves share no common routing, and are all completely isolated on each side; since they're totally independent, maintenance on one should never need to impact another, however, they always share a peer - so one tunnel can't be easily separated, or temporarily shifted to/from alternate/dedicated hardware without involving the remote side to make configuration changes.

 

With the new upstream connection, I'm no longer constrained for IPs, and, if possible, I'd like to migrate all of the VPNs to dedicated IPs on my side for use as their peers; but this requires me to be able to host multiple addresses from the same /25 on each ASA … on separate logical outside interfaces to link them to each VPN (since I only have one asa per ~10 VPNs).  I've seen configurations like this on other platforms, but haven't yet had any success finding a parallel on the ASAs.  That said, I'd be grateful to anyone that can shed some light on how I need to approach it, or why they know it can't be done.

 

I'm running 5516X hardware with ASA 9.10(1) software.

 

Thanks for any insight.

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎01-31-2019 11:34 AM

Hi,
On an ASA you can only terminate a VPN to the outside interface IP address. On a cisco router (I appreciate you may not have one spare), you could use multiple loopback interfaces with a VPN and potentially achieve what you wanted.

HTH
0 Helpful

kitt001
Level 1
Level 1
In response to Rob Ingram

‎01-31-2019 01:44 PM

I've got systems currently with VPNs terminated on multiple "outside" interfaces, but in the current cases, the "outside" interfaces are connected to different up stream providers, and each live in distinct address space.

 

I was hoping through some VTI or BVI magic, I could accomplish the same scenario by simply getting the interfaces to live in the same subnet, thus achieving essentially the same thing I already do.  But no matter what I've attempted, things go south whenever I try to initialize two interfaces of any type with overlapping address space.

 

Maybe the real question comes down to; can an ASA be forced to initialize interfaces that contain the overlapping address space?  Technically, if their security level is left blank, the system wouldn't even try to use them for routing … 

0 Helpful
Customers Also Viewed These Support Documents