Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
5
Replies

Separate Ipsec Tunnels for Inbound and Outbound traffic

danieltudares84
Level 1
Level 1

‎07-30-2015 12:24 PM - last edited on ‎02-21-2020 11:55 PM by Community Manager

 

Hi, I need to establish an Ipsec connection between two sites but they need to have different IPs for the inbound and outbound traffic, so we have to get out using an external IP address and the other site have to establish the VPN pointing out to a different IP address to which we are using to connect with them... It is possible to make this connection and assign two external IP to the outside interface? How? I have an ASA 5506-X. 

 

Thank you. 

Daniel

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎07-30-2015 04:12 PM

That can't be done with the ASA. You could do it with an IOS-router. But: Why do you want to do that? When the tunnel is established, you can communicate in both directions.

0 Helpful

danieltudares84
Level 1
Level 1
In response to Karsten Iwen

‎07-31-2015 06:44 AM

Well, the costumer requested this configuration, they want two separate tunnel for in and out traffic. How it could be done with IOS? Can I configure in the ASA a nat pool overloaded with my two external IPs and then make the tunnel to go out using one of the two IPs and the other side use the other IP?

0 Helpful

Karsten Iwen
VIP
VIP
In response to danieltudares84

‎07-31-2015 06:58 AM

Well, the costumer requested this configuration, they want two separate tunnel for in and out traffic.

What benefit do they see in that config?

> How it could be done with IOS? Can I configure in the ASA a nat pool overloaded with my two external IPs and then make the tunnel to go out using one of the two IPs and the other side use the other IP?

On the router, VPNs can be terminated on different IPs. That's not the case with the ASA where VPNs are only terminated on the interface IP.
0 Helpful

danieltudares84
Level 1
Level 1
In response to Karsten Iwen

‎07-31-2015 08:33 AM

Is it possible to just assign one external IP in my outside interface to get out with my tunnel using that IP and create a DMZ with the other IP to internally reroute the traffic to my internal network? of course with the proper ACLs to avoid security breaches from others sources aside of the opposite peer....

I know this it's kind of messy, I'm just trying to figure out some possibilities.

0 Helpful

danieltudares84
Level 1
Level 1
In response to Karsten Iwen

‎08-04-2015 11:26 AM

I

0 Helpful
Customers Also Viewed These Support Documents