07-06-2015 01:35 AM
Hi All
I have a customer who has purchased the new ASA5506W (with Built-in AP) Firewalls and needs to configure EzVPN on them to a Head Office site. The EzVPN feature was removed initially from the ASA5506 series Firewalls but will be returning in IOS release 9.5 which is due to be release soon. My question however is not around the ASA5506 supporting EzVPN it is the following:
The EzVPN feature only supports connected networks accessing the head office LAN from the VPN Client (Remote EzVPN FW) so if one has a scenario where there are multiple VLAN's behind the remote EzVPN FW any Network Segment which is not directly connected will not be able to access the Head Office LAN - see the following post for an explanation of the issue - https://supportforums.cisco.com/discussion/10678416/asa-ezvpn-multiple-remote-subnets.
Now, my question (or solution which I think is a workable workaround) is as follows:
If I create multiple sub-interfaces on the physical interface of the ASA5506 and trunk this interface to the Cisco Switch then my Multiple VLAN's/Segments become directly connected segments and therefore based on the limitation of the EzVPN feature should be able to access the head office LAN or am I mistaken here??
So basically with the limitation of only connected networks being advertised a situation like the one below does not work:
(--HEAD OFFICE LAN--)-->>ASA5520-->>(INTERNET/WAN)<<--5506W-->>(--LAN1--)-ROUTER / L3 SWITCH-(--MULTIPLE VLANS--)
Now my solution (which I think should work) is as follows:
(--HEAD OFFICE LAN--)-->>5520-->>(INTERNET/WAN)<<--5506-->>(--PHYSICAL-INTERFACE ((+MULTIPLE SUB-INTERFACES))--)-->>TRUNK TO SWITCH
Any ideas as to why this thinking would not work?
07-06-2015 11:00 PM
I have not tested this but it should be ok as long as you do not hit the interface limit on the box if you have base lic.
HTH
Abaji.
07-07-2015 04:16 AM
The devices in question will have the Security PLUS licenses and we would not exceed the Interface limit on the device
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide