Is it possible we use no-outside interface IPs as Peer address to build VPN tunnel on ASA?

ssi_admin · ‎06-13-2013

In my company, there are two different public IPs ranges for example 1.1.1.0/28 and 2.2.2.0/28. 1.1.1.1/28 was assigned as firewall outside interface. We would like to use 2.2.2.0/28 as Peer IPs for our cilents such as 2.2.2.1 for CustomerA,2.2.2.2 for CustomerB...etc, but we did not setup any vlan interface or phsical interface belonged to 2.2.2.0/28 range on the ASA. Even though we alreday advertise 2.2.2.0/28 to our ISP, is it possible we use it as Peer IPs for VPN tunnel? If the answer is yes, do we have to open firewall rules such as esp, isakmp to 2.2.2.0/28 ?

Thanks for you thoughts...

Jouni Forss · ‎06-13-2013

Hi,

To my understanding for VPN configurations you can only use the interface IP address. ASA doesnt have any concept of "secondary" IP address like the Cisco Routers do.

To my knowledge the only way you can use multiple public IP addresses are by using them in NAT configurations. This doesnt naturally help you much as you want the ASA to handle incoming VPN connections with multiple public IP addressess.

So taking that into account the only way you could use multiple IP address for VPN connections with ASA would be to have another ASA behind the edge ASA and configure ONE to MANY NAT for the internal ASAs "outside" IP address on the edge ASA. But I dont really see this as anything I would want to do

- Jouni

Andrew Phirsov · ‎06-13-2013

First of all I don't see any reason to use different peer ip (on the same appliance) for different clients, not from performance or management flexibility points of view . Do you? All possible separations of what one customer can do/access over the tunnel versus the other could be achieved by proper tunnel-groups/group-policies/DAP configurations. Why would you want do do this? Think of it again and if there's something good you could achieve by doing this, i'd really like to know)