12-12-2012 01:00 PM
Hi,
I would like to ask if its possible to setup a vpn with an ASA with one interface. Kindly see the attached diagram. Basically the Local Subnet (172,16.0.0/24) of the encryption domain of the ASA is located in another segment of the network and for the ASA(VPN) to reach it, it must pass through the same outside interface were the VPN is originating (DMZ Interface on the FWSM).
Kindly Advice.
Thanks
Etienne
12-12-2012 02:05 PM
Yes, it is definitely possible.
All you have to do is forward vpn ports on FWSM to IP address of ASA.
And in vpn config it remains the usual and will include local network as DMZ network in crypto ACL. Along with this make sure command 'same
security permit intra-interafce' should be enabled on ASA.
In this scenario encrypted traffic will reach ASA using FWSM NAT and then will decrypt on ASA and using same security command traffic will U turn in network and will get routed..
Also, just make sure that there should not be any assymetric routing in network as next hop for remote network in local LAN should be ASA.
Regards,
Anuj
Sent from Cisco Technical Support Android App
12-12-2012 02:18 PM
The ASA would have a Public IP address on the DMZ Interface. My only concern is how would the
same security permit intra-interafce command would work. Assymetric router shouldn't be a problem in this case.
12-12-2012 11:29 PM
This command will let the traffic UTurn on the DMZ interface.
Regards,
Anuj
Sent from Cisco Technical Support Android App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: