Re:ASA VPN Setup with One Interface

etiennevella · ‎12-12-2012

Hi,

I would like to ask if its possible to setup a vpn with an ASA with one interface. Kindly see the attached diagram. Basically the Local Subnet (172,16.0.0/24) of the encryption domain of the ASA is located in another segment of the network and for the ASA(VPN) to reach it, it must pass through the same outside interface were the VPN is originating (DMZ Interface on the FWSM).

Kindly Advice.

Thanks

Etienne

anujsharma85 · ‎12-12-2012

Yes, it is definitely possible.

All you have to do is forward vpn ports on FWSM to IP address of ASA.

And in vpn config it remains the usual and will include local network as DMZ network in crypto ACL. Along with this make sure command 'same
security permit intra-interafce' should be enabled on ASA.

In this scenario encrypted traffic will reach ASA using FWSM NAT and then will decrypt on ASA and using same security command traffic will U turn in network and will get routed..

Also, just make sure that there should not be any assymetric routing in network as next hop for remote network in local LAN should be ASA.

Regards,
Anuj

Sent from Cisco Technical Support Android App

etiennevella · ‎12-12-2012

The ASA would have a Public IP address on the DMZ Interface. My only concern is how would the

same security permit intra-interafce command would work. Assymetric router shouldn't be a problem in this case.

anujsharma85 · ‎12-12-2012

This command will let the traffic UTurn on the DMZ interface.

Regards,
Anuj

Sent from Cisco Technical Support Android App