SSL (AnyConnect) and IPsec tunnels on same physical interface?

EthanIsenberg75263 · ‎07-21-2023

On my ASA firewalls I have always terminated my IPsec tunnels and SSL (AnyConnect) on the same physical interface. Is this recommended? Should I terminate them on different physical interfaces? Let me know how you would do this.

Rob Ingram · ‎07-21-2023

@EthanIsenberg75263 well generally most organsiations would use a single physical interface to terminate RAVPN and Site-to-Site VPNs, routing would be the problem.

What you could do for Remote Access VPN is use the interface with the default route configured, for Site-to-Site VPN's you could configure a static route for the peer public IP address via the 2nd interface.

MHM Cisco World · ‎07-21-2023

One ISP' so remote and s2s vpn must use same interface

Two ISP' remote can use one ISP

s2s vpn use other ISP' this case you need two static route one for s2s vpn peer and other for lan behind peer' these static route toward second ISP.

By this way you can load balance traffic between two ISP.

Marius Gunnerud · ‎07-23-2023

This all boils down to your Network and / or security policy. As Rob has mentioned, the majority of companies terminate both SSL and IPsec on the same interface as there is a cost involved when having to dedicate a public IP to each of the interfaces. From a security perspective, you do not gain much for having the two terminated on separate interfaces, what does matter is the encryption algorithms used to secure the VPN connection.

What I have seen a few and recommended previously is terminating all VPN on a separate firewall, but here we were still using a single interface to terminate both SSL and IPsec.

--
Please remember to select a correct answer and rate helpful posts