cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4734
Views
5
Helpful
7
Replies
Highlighted
Beginner

Cisco ASA - Policy Based VPN & Rote Based VPN

Hi There,

Can someone assist me on below queries,

  • Is route-based vpn possible on Cisco ASA device? I installed Policy based VPN, but not sure on this route-based VPN.
  • If possible, how we can configure both policy-based VPN and route-based VPN on the same device. (Reason: In my environment the requirement is to configure both type of VPN's on the same Cisco ASA device)

Thanks & Regards,

Gan

7 REPLIES 7
Highlighted
VIP Advisor

Route based VPN are based on "Tunnel interfaces", policy based VPN are ACL based.

there is plenty of documentation re. this subject.

check this link on how to build tunnel interfaces for route  based VPN:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

Please remember to rate useful posts, by clicking on the stars below.

Highlighted

Thanks for the reply Denis.

I already referred the link which you shared. Configuration which mentioned on this link applied for Cisco Router only not for ASA.

I do have idea about the tunnel interface (I built route-based VPN on Juniper, Fortigate). In other vendor (Fortigate, Juniper) firewalls, we can create tunnel interface and map the same with 'Outside' interface. However I don't have any idea on Cisco ASA device, also I'm not seeing any commands on ASA for creating tunnel interface on ASA.

So I'm looking for assistance to built Route-based VPN on ASA.

Thanks & Reagrds,

Gan

Highlighted

http://packetsneverlie.blogspot.com.au/2012/06/route-based-ipsec-vpn-on-asa.html

Please remember to rate useful posts, by clicking on the stars below.

Highlighted

Hi Dennis,

I referred this link as well, this config is same as policy-based VPN.

The reason why i'm saying this is, we need to come up with new interface IP and route it though that interface. The same we are doing in policy-based VPN as well.

In Juniper, we need to create tunnel-interface and map it with Outiside interface, so no need to specify different IP for tunnel interface.

Highlighted

ASA's won't allow you to do that mate, they are policy based, if you need logical Tunnel interfaces, you require a L3 device with crypto features, not an ASA.

Please remember to rate useful posts, by clicking on the stars below.

Highlighted

Route-based VPN (VTI) for ASA.

 + You need an ASA with frame version 9.7 and above.

+ Steps to do the configuration using ASA with VTI vpn.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vp...

+ Tunnel interface is not visible for OSPF

+ only IKEv1 is supported with VTI

+IKEv2 is not available for the VTI IPSec profile.(no IKEv2 with route based VPNs on ASA).

+ only BGP is listed in the documentation link which is working for now.

If you like that answer please rate it .

Thank you

Highlighted

Route-based VPN (VTI) for ASA.

 + You need an ASA with frame version 9.7 and above.

+ Steps to do the configuration using ASA with VTI vpn.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html

+ Tunnel interface is not visible for OSPF

+ only IKEv1 is supported with VTI

+IKEv2 is not available for the VTI IPSec profile.(no IKEv2 with route based VPNs on ASA).

+ only BGP is listed in the documentation link which is working for now.

If you like that answer please rate it .

Thank you