VIP's on Cisco ASA devices

lnslnslns · ‎06-21-2019

I'm low on public IP's, so I wonder whether I can connect the outside interface on my Cisco ASA firewall to VRF with a link network like 10.11.12.8/30, and then route a public IP to the ASA firewall and use that IP as source for outbound NAT rules and destination for inbound traffic?

I know it can be done with configuring the outside interface link network with a public IP range, but that means using 8 public IP's for something where I only need one if the above is possible.

gbekmezi-DD · ‎06-21-2019

You want the packet destination to be the public IP address upstream from the ASA, but you want the ASA to NAT for that IP address? How are you planning on routing the traffic from the upstream network device that actually hosts that subnet to the ASA? If you can get the traffic to the ASA, you should be able to perform the NAT/PAT you are wanting to do.

George

lnslnslns · ‎06-22-2019

The public IP's are just an IP range assigned to our DC. It's not configured anywhere as a VLAN or similar. It's just a range of routes IP's. There is therefore no issues in host routing individual IP's from the public internet VRF to specific devices like the ASA.

My question is. Can I, on a Cisco ASA, use IP's which are not interface IP's as termination points for VPN connections, source for hide NAT rules etc. or does that have to be interface IP's?

Rob Ingram · ‎06-22-2019

Hi,

You have to enable ISAKMP/IKEv2 on the interface that terminates the VPN, therefore only that interface IP address will listen on UDP/500.

HTH