topic Azure ASAv Question involving VPN and a VIP address in Network Security

Azure ASAv Question involving VPN and a VIP address

jamesholley — Tue, 28 Feb 2023 12:13:23 GMT

Hi guys

I have come up with a solution to get my Corporate traffic into Azure by way of a VPN, which will terminate on a HA pair of ASAv firewalls. I need to protect an HTTPS flow within the tunnel and have it decrypted on the ASAv.

The flow would be our Corp network as src address range to a VIP that will sit on both ASAv firewalls. The VIP is from the Azure public address ranges and has been created in Azure. A NAT rule will essentially take that input and convert the destination IP address from the VIP to the internal ip address of our ALB within Azure.

I haven't tested this yet, but I can't see anything that would stop this working, as because the traffic is coming to the ASAv from a VPN tunnel, i don't need the ASAv to arp for the VIP.

What do you all think?

Regards

James

Re: Azure ASAv Question involving VPN and a VIP address

Sheraz.Salim — Tue, 28 Feb 2023 12:39:35 GMT

seem like it will work so you have a ALB as public IP addresses. the vpn tunnel will formed from remote side to ASAv where as for the presentation of ASAv ALB will be the outside (let say the point where the traffic vpn will terminate). yes sound like it will work.

Re: Azure ASAv Question involving VPN and a VIP address

jamesholley — Tue, 28 Feb 2023 12:52:21 GMT

Yes, the two ASAv are sat behind a PLB, which will pass IKE traffic through to the active ASAv.

Re: Azure ASAv Question involving VPN and a VIP address

Sheraz.Salim — Tue, 28 Feb 2023 12:57:48 GMT

@jamesholley these two ASAv in ha pair? you mentioned the word active ASAv so i assume it HA pair. yes the sound of this would work.

Re: Azure ASAv Question involving VPN and a VIP address

jamesholley — Tue, 28 Feb 2023 13:02:57 GMT

Hi, yes, an HA pair working in active/standby mode.