Re: Is it able to use asa without inside interface?

kabiolskiy · ‎04-12-2013

Hello.

May be this question is very stupid, but can I use asa in this scenario?

I don't want to use inside interface. On border router there will be route to VPN-pool which points to ASA. On ASA there will be default route. Traffic from remote user comes to ASA -> border router -> Private network. Traffic to remote user goes to border router and then to ASA -> VPN tunnel -> Remote user. There will be no NAT on outside interface.

Any suggestions appreciated.

Thanks.

Richard Burts · ‎04-20-2013

I want to be sure that I understand correctly what you want to accomplish. I think that you are saying that you want to use the ASA5510 only to terminate SSL client VPN sessions. There will not be any use of firewall rules or of address translation. And that traffic will use only one interface of the ASA. This is an unusual deployment of the ASA but I would think that this would work.

HTH

Rick

HTH

Rick

kabiolskiy · ‎04-20-2013

Thank you for reply

Yes, you understand correctly. It seems, that I have to terminate SSL sessions on outside inetrface (not inside). But traffic from tunnel will pass outside interface without NAT (at usual deployment it passes through inside interface). And this makes me wary.

I think I have to add some rules to outside interface that allow to pass traffic from tunnel to outside interface.

Richard Burts · ‎04-21-2013

Yes you probably need commands like these

same-security-traffic permit intra-interface

same-security-traffic permit inter-interface

The first one would be especially important in your case. When I configure one I usually configure both of the commands. You can decide whether to use just one or to use both.

HTH

Rick

HTH

Rick

kabiolskiy · ‎04-21-2013

Thank you for reply, Rick

I'll try to modify my config at this week.

I'll let you know about results.