cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4062
Views
0
Helpful
4
Replies

Multiple Site to Site VPN with different Local Public IP address

mr_spock99
Level 1
Level 1

Hello everyone

On the Cisco ASA, is it possible to define a different Local Public ip address instead of the outside interface ip address for the Site to Site VPN.

for example, If i am having multiple Customers connecting to my ASA, and i want to give different customers different PEER IP instead of my single outside interface ip address. and i sould be able to define a specific Public IP per Customer while configuring.

      say for customer 1 ISAKMP listening on local ip x.x.x.x, for customer 2 ISAKMP listening on local IP y.y.y.y

it may be useless to have such feature (or is it useful ?). just wanted to know something of such can be configured or not.

Thanks

4 Replies 4

jlmickens
Level 1
Level 1

I don't see why not.  Assuming you have sufficient public IP space to handle it, I would think you could create subinterfaces on the outside physical port and assign different addresses to them.  I think most people wouldn't try this just because of limits on thier public IP space.

yes, it does take up a lot of public IP space, and having dot1q on the outside interface, and new subinterface to add a VPN for a new customer, constantly taking up with ISP for these changes..... sounds bad..

im looking for something simple, (able to define seperate ip address) i have seen it on a sonicwall, wondering if ASA got something similar.

or can we use policy NAT to translate source to a different IP address (just wondering,.. can we mix the NAT and VPN? )

I don't know why you would need dot1q or your ISP's involvement with changes.  Your ISP should already be routing your public block to your interface, so you can use any of your ip addresses without their interference. 

Frankly, I don't see how trying to use a different IP address for each VPN connection would be useful to start with, but if that's what you want to do, I don't see any other way of doing it at this point.  Admittedly, I could be wrong.

dmcloon
Level 1
Level 1

If it was a router you could put each public IP on a different loopback interface and then specify on each crypto map which loopback interface to take the local peer address from.

For example,

interface Loopback4

description Loopback for S2S VPN Customer A

ip address x.x.x.x 255.255.255.255

crypto map CUST4 local-address Loopback4

I'm also looking for equivalent on ASA because I need to migrate such a config from IOS, but so far I haven't found an ASA equivalent command for "crypto map local-address", and ASA does not support loopback interfaces, so looks like we are out of luck. Disappointed with ASA.