02-04-2025 04:12 AM
Hi All,
We have a Cisco 3110 firewall acting as the termination point for remote access VPNs. There is another vendor's firewall positioned in front of the ASA. Since there is public IP scarcity I want to know if there is a possibility or a workaround to use a tunnel interface or a loopback interface for the remote VPN.
Thanks,
Solved! Go to Solution.
02-06-2025 12:35 AM
@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).
02-04-2025 04:27 AM
@henokk60 you can set a loopback interface as the source interface for a VTI (since version 9.19), but that's not supported with a Remote Access VPN.
https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html
02-06-2025 12:22 AM
What if I use the other vendor's public interface and use NAT to a floating IP, which will redirect to the ASA? For example, whenever a user hits the public IP, the request will first hit the external firewall, and using NAT, the external firewall forwards it to the ASA. Then, the ASA will allow the user remote access. Could this scenario work?
02-06-2025 12:35 AM
@henokk60 yes, the front firewall can NAT the traffic to the ASA behind it. The front firewall will need to permit the required traffic towards the ASA which will be tcp/443, udp/443 (SSL/TLS VPN) and udp/4500, udp/500 (if using IPSec VPN).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide