Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3195
Views
0
Helpful
3
Replies

VPN to subinterface on ASA 5520

laptev.valery
Level 1
Level 1

‎04-26-2010 11:11 PM

Now, our VPN users connecting  whith Cisco VPN CLient to interface outside.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 200.200.200.2 255.255.255.128 standby 200.200.200.3

ospf cost 10


But we gonna use new IP addresses, so i need to enable VPN users to connect to interface outside103.

I have allowed Interface "outside103" in ASDM: configur>remout access VPN>network access>IPSec connection Profiles>interface outside103(checkbox allow)

interface GigabitEthernet0/0.103

vlan 103

nameif outside103

security-level 0

ip address 201.201.201.2 255.255.255.128

ospf cost 10

But wile trying to connect log messges says that problem on phase 1 IKE SA...

Maybe ther are some more options to enable VPN on subinterface?

Or VPN is not supported on subinterfaces?

Labels:
0 Helpful
3 Replies 3

laptev.valery
Level 1
Level 1

‎04-27-2010 12:03 AM

our software is:
Cisco PIX Security Appliance Release Notes Version 8.0(4)

I got this for PIX:

"If a VPN tunnel is initiated using a physical interface, logical interfaces cannot participate in the VPN tunnel."

is that means that i need to disable VPN on phisical inteface, to allow it om a logical interfaces???

VPN client says:

CSCeg04264

Release 4.6 VPN Client error messages are different from those in the Release 4.0.x VPN Clients. With the 4.0.X version of the VPN Client, if there is a problem with the broadband provider, users get the following pop-up: "Secure VPN connection terminated locally by the client. Reason 412: The remote peer is no longer responding."

With the Release 4.6 VPN Client, there is no event message at all, the Client just states that it is not connected. If I enable connect history display, I get the following message: "Secure VPN connection terminated locally by the client. Reason 401: An unrecognized error occurred while establishing the VPN connection. Not connected."

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-27-2010 01:35 AM

1) Do you still have ip address configured on the physical interface? and where does your default gateway point to?

2) Are you replacing the outside interface with the new IP, or the new IP is just extension to the old outside interface ip?

3) You can't have 2 default gateways on 2 different interfaces on ASA anyway, so

-- if the new IP is the extension of the existing public ip, then you would need to route the new ip range to the current outside interface, and you can use those new IP range for NAT.

-- if the new IP is the extension of the existing public ip, and you will be routing the subnet towards the existing outside ip, you can't use the new IP to terminate the VPN. You can only terminate on the ip address assigned to the interface of the ASA.

-- if the new IP is the extension of the existing public ip, and you would like to use the new IP for VPN termination, then you would need to assign the new ip to the outside interface, and route the existing outside subnet to the newly create interface IP.

Hopefully I haven't confused you. Let us know if you have any further questions.

0 Helpful

laptev.valery
Level 1
Level 1
In response to Jennifer Halim

‎07-30-2010 05:08 AM

the problem used to be in asymetric routing

0 Helpful
Customers Also Viewed These Support Documents