VPN Through 3rd interface

pclowes · ‎01-17-2017

I'm trying to create a VPN so clients (as opposed to S2S) can connect to our LAN. I've inherited a rather strange setup.

1. There is no NAT.

2. The 5515 ASA Outside interface connects to a 3750 with a private IP. ex 192.168.2.0

3. The Inside interface connects to 4506 with a private IP 192.168.1.0

4. The workstations are all assigned public IP's. The gateway is a public IP (VLAN) on the 4506.

Since I need to assign a public IP to the VPN, I wanted to connect another ASA interface directly to the LAN switch.

My problems are.

1. Does this sound practical? Am I creating a security issue?

Assuming 10.10.10.0/24 is my public network

my gateway is 10.10.10.1/24

I want to assign the VPN interface an address of 10.10.10.253 255.255.255.248

I want route 10.10.10.0/24 traffic through the outside interface and the VPN traffic through the VPN interface.

my vpn pool would be 10.10.10.193 - 10.10.10.223

Am I totally off base here?

Does adding the third interface and connecting it to the LAN make any sense. Should I just dump the Private IP between the ASA and 4506 and assign a public IP?

Thanks,

Marvin Rhoads · ‎01-17-2017

Remote access VPN can be configured and bound to any interface (or set of interfaces). The main challenge is routing.

While inbound client traffic can come into the ASA interface you want to use for VPN, the ASA won't necessarily know how to reply to them out the same interface if it is anything other than the one connected to the default gateway. Policy-based routing (available in the most recent ASA versions) doesn't help much unless you know in advance all of the remote clients' IP addresses (not likely).

More practical would be to just allow the incoming VPN traffic via whatever public gateway connects to the Internet. NAT that to your ASA outside interface and bind your VPN there.