cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
612
Views
0
Helpful
3
Replies

Using tunnel Interface or loopback interface

henokk60
Level 1
Level 1

Hi All,

We have a Cisco 3110 firewall acting as the termination point for remote access VPNs. There is another vendor's firewall positioned in front of the ASA. Since there is public IP scarcity I want to know if there is a possibility or a workaround to use a tunnel interface or a loopback interface for the remote VPN.

Thanks,

1 Accepted Solution

Accepted Solutions

@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).

View solution in original post

3 Replies 3

@henokk60 you can set a loopback interface as the source interface for a VTI (since version 9.19), but that's not supported with a Remote Access VPN.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

 

What if I use the other vendor's public interface and use NAT to a floating IP, which will redirect to the ASA? For example, whenever a user hits the public IP, the request will first hit the external firewall, and using NAT, the external firewall forwards it to the ASA. Then, the ASA will allow the user remote access. Could this scenario work?

@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).