Solved: Using tunnel Interface or loopback interface

henokk60 · ‎02-04-2025

Hi All,

We have a Cisco 3110 firewall acting as the termination point for remote access VPNs. There is another vendor's firewall positioned in front of the ASA. Since there is public IP scarcity I want to know if there is a possibility or a workaround to use a tunnel interface or a loopback interface for the remote VPN.

Thanks,

Rob Ingram · ‎02-06-2025

@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).

View solution in original post

Rob Ingram · ‎02-04-2025

@henokk60 you can set a loopback interface as the source interface for a VTI (since version 9.19), but that's not supported with a Remote Access VPN.

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

henokk60 · ‎02-06-2025

What if I use the other vendor's public interface and use NAT to a floating IP, which will redirect to the ASA? For example, whenever a user hits the public IP, the request will first hit the external firewall, and using NAT, the external firewall forwards it to the ASA. Then, the ASA will allow the user remote access. Could this scenario work?

Rob Ingram · ‎02-06-2025

@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).