08-20-2019 02:52 AM
Hi
We have an ASA firewall in a HA setup and currently are moving over to a new internet circuit that is provided by the Data Centre. Previously the Public range extended out to the next hop address so the VPNs terminated on the outside interface.
However now the DC have provided a new public range for us to use which will sit inside the firewall, however the outside interface is on a different subnet for the point to point to the internet.
So my question is:
1. When configuring IPSEC VPNs, do they need to terminate on a physical interface, which would mean I would have to use the outside interface IP which is on a different subnet from my actual public range, or can I use an IP from the new range provided (even if it means configuring a loopback for VPN peer)
I would like to use an IP from the new range so in the future if we ever need to move internet providers, I don't want to be changing the VPN peer address.
Thanks
Solved! Go to Solution.
08-21-2019 04:25 AM
08-20-2019 03:00 AM
08-21-2019 02:39 AM
Hi
What if I use a separate physical interface on the ASA other than the Outside interface as the VPN termination, so that the outside interface is the point to point to the DC, then another physical interface is assigned an IP from our public range and the port is connected to the external switch so that it stays up.
In that case how does the traffic flow work for VPNs. Does it come into the ASA on the outside interface, then internally on the ASA hit the VPN interface, in which case is the VPN on the inside of the VPN interface?
Thanks
08-21-2019 04:25 AM
08-21-2019 01:55 PM
Right - traffic cannot come into an interface of an ASA and be terminated on a different interface of the same ASA. That's by design and cannot be changed.
07-31-2020 05:53 AM
Just wondering if should work if is configured with "same-security-traffic permit inter-interface" and configure an inbound NAT on the 1st(old) outside interface were the traffic still arrives pointing to the new IP configured on a 2nd(new) outside interface?
thanks
Regards
08-20-2019 05:16 AM
ASA's don't have loopback addresses; but since 9.7(1) they do have Virtual Tunnel Interface (VTI) support. You might be able to make it work using that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide