Hi,
I have a Cisco ASA 5520 setup with multiple outside interfaces (via a 802.1q trunk from a switch - i.e. I have created 1 subinterface per VLAN with the ASA routing between the VLANs) and I have users establish an IPSec tunnel over these subinterfaces using the Cisco VPN Client.
At the moment, all users can establish a VPN session but it only works if they establish it to their default gateway, which is the ASA. However, when a user moves between a VLAN, it is becoming annoying because they have to change the Cisco VPN Client to use the new default gateway (i.e. interface of the ASA) of the VLAN they have moved to.
Is there a way that I can use 1 address as the target for a VPN session no matter what VLAN/subinterface of the ASA the user is on? Can this be done with NAT? Perhaps I can create a dummy subinterface, and have users VPN to the IP address on that subinterface? Has anyone had to do this before?
With the NAT solution, I believe it would be identical to situations where people have used different IP addresses than the one assigned to the outside interface of a PIX/ASA connecting to the Internet.
Any comments/suggestions?
Thanks
I have a Cisco ASA 5520 setup with multiple outside interfaces (via a 802.1q trunk from a switch - i.e. I have created 1 subinterface per VLAN with the ASA routing between the VLANs) and I have users establish an IPSec tunnel over these subinterfaces using the Cisco VPN Client.
At the moment, all users can establish a VPN session but it only works if they establish it to their default gateway, which is the ASA. However, when a user moves between a VLAN, it is becoming annoying because they have to change the Cisco VPN Client to use the new default gateway (i.e. interface of the ASA) of the VLAN they have moved to.
Is there a way that I can use 1 address as the target for a VPN session no matter what VLAN/subinterface of the ASA the user is on? Can this be done with NAT? Perhaps I can create a dummy subinterface, and have users VPN to the IP address on that subinterface? Has anyone had to do this before?
With the NAT solution, I believe it would be identical to situations where people have used different IP addresses than the one assigned to the outside interface of a PIX/ASA connecting to the Internet.
Any comments/suggestions?
Thanks