Remote VPN access over Site to Site IPSEC tunnel on same device
Posted on 2011-05-10
We are replacing our PIX and VPN Concentrator with an ASA5520.
Currently our PIX firewall has IPSEC VPN tunnels to remote offices and the VPN concentrator is used for remote client access.
The way the traffic is routed, if a remote user VPN's into the concentrator, they can access the remote offices over the Site to Site VPN tunnels through the PIX.
The solution I'm looking to do is to create the same scenario, but only using the single ASA 5520.
I know that as a remote user, you cannot VPN into the outside interface of the ASA and then go back out the same interface to the remote offices over the site to site tunnels.
Is there a way to do this with just the once device?
I thought that maybe I could assign a second outside interface on the ASA and have the remote users VPN to that interface, then the site the site tunnels would be built on a second outside interface. Then the remote users could go into one outside interface and get routed out the 2nd interface with the Site to Site tunnels to reach the remote offices.
Problem is when I attempted to assign a second outside interface an IP address from the /28 block given to us by our ISP, it didn't work because the IP's overlapped.