cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5729
Views
5
Helpful
7
Replies

Cisco ASA - Policy Based VPN & Rote Based VPN

gangadaran86
Level 1
Level 1

Hi There,

Can someone assist me on below queries,

  • Is route-based vpn possible on Cisco ASA device? I installed Policy based VPN, but not sure on this route-based VPN.
  • If possible, how we can configure both policy-based VPN and route-based VPN on the same device. (Reason: In my environment the requirement is to configure both type of VPN's on the same Cisco ASA device)

Thanks & Regards,

Gan

7 Replies 7

Dennis Mink
VIP Alumni
VIP Alumni

Route based VPN are based on "Tunnel interfaces", policy based VPN are ACL based.

there is plenty of documentation re. this subject.

check this link on how to build tunnel interfaces for route  based VPN:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

Please remember to rate useful posts, by clicking on the stars below.

Thanks for the reply Denis.

I already referred the link which you shared. Configuration which mentioned on this link applied for Cisco Router only not for ASA.

I do have idea about the tunnel interface (I built route-based VPN on Juniper, Fortigate). In other vendor (Fortigate, Juniper) firewalls, we can create tunnel interface and map the same with 'Outside' interface. However I don't have any idea on Cisco ASA device, also I'm not seeing any commands on ASA for creating tunnel interface on ASA.

So I'm looking for assistance to built Route-based VPN on ASA.

Thanks & Reagrds,

Gan

http://packetsneverlie.blogspot.com.au/2012/06/route-based-ipsec-vpn-on-asa.html

Please remember to rate useful posts, by clicking on the stars below.

Hi Dennis,

I referred this link as well, this config is same as policy-based VPN.

The reason why i'm saying this is, we need to come up with new interface IP and route it though that interface. The same we are doing in policy-based VPN as well.

In Juniper, we need to create tunnel-interface and map it with Outiside interface, so no need to specify different IP for tunnel interface.

ASA's won't allow you to do that mate, they are policy based, if you need logical Tunnel interfaces, you require a L3 device with crypto features, not an ASA.

Please remember to rate useful posts, by clicking on the stars below.

Route-based VPN (VTI) for ASA.

 + You need an ASA with frame version 9.7 and above.

+ Steps to do the configuration using ASA with VTI vpn.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vp...

+ Tunnel interface is not visible for OSPF

+ only IKEv1 is supported with VTI

+IKEv2 is not available for the VTI IPSec profile.(no IKEv2 with route based VPNs on ASA).

+ only BGP is listed in the documentation link which is working for now.

If you like that answer please rate it .

Thank you

Route-based VPN (VTI) for ASA.

 + You need an ASA with frame version 9.7 and above.

+ Steps to do the configuration using ASA with VTI vpn.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html

+ Tunnel interface is not visible for OSPF

+ only IKEv1 is supported with VTI

+IKEv2 is not available for the VTI IPSec profile.(no IKEv2 with route based VPNs on ASA).

+ only BGP is listed in the documentation link which is working for now.

If you like that answer please rate it .

Thank you