cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1235
Views
0
Helpful
9
Replies

ASAv: Route-Based Along with Policy-Based S2S IPSec Tunnels

NickNetSec
Level 1
Level 1

Hello, Cisco Gurus!

Anyone setup route-based IPSec tunnel on the same ASAv that hosts multiple policy-based S2S VPN's? Cisco says it's possible, but didn't provide any best practices. Specifically, we're interested in placing our internal sources (which are many) behind NAT, so the peer has only one or two IP's to route VPN traffic to.

Thanks in advance!

9 Replies 9

I dont get it' 

Route based vpn and policy based vpn 

And NATing of local lan' can you more elaborate.

Our ASAv hosts multiple policy-based (crypto maps) VPN tunnels. One of the remote peers switched to route-based VPN and wants us to do the same for them. So, we need to stand up VPN to this new route-based peer on the same ASAv.

Cisco said it's possible with VTI and referred us to this doc. Now, we've never done this before and, therefore, asking for any pointers. Like, we have many different sources (cloud, MPLS, user VPN) that need to connect to the resources across this new route-based tunnel. Can we place them behind PAT, like so: nat (any,outside) source dynamic RFC1918 PAT destination static DST-IP_INT DST-IP_EXT? Where DST-IP_INT = our internal IP from the outside subnet, and DST-IP_EXT = host IP on the client side.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html

checking  

Not sure what you mean by saying that ASAv doesn't support NATing for VPN. Currently, our ASAv has multiple policy-based tunnels with tons of NAT's. In fact, NAT's (and corresponding DNS names) are our cheap way of routing to the tunnel interface.

We are not trying to connect a policy-based peer to a route-based peer, as we already tried that and failed.

We need to configure our ASAv for a route-based tunnel while not impacting existing policy-based tunnels. We will be following that Cisco article in setting up VTI and necessary routes on ASAv, but wanted to confirm if PAT/NAT will work as our sources are many. Did you ever do that?

if you put the nat rule as (any,outside) and do a packet tracer you will see it may go down to the interface. as VTI interface does not show up in nat rule. by define any might save you and do the trick.

 

please do not forget to rate.

checking

I have never needed to set this up for a VTI tunnel on an ASA, but you might be able to NAT the traffic using (any,any) interface specification.  just be sure to identify the source and destination original and translated IPs so you do not match on the wrong traffic.

--
Please remember to select a correct answer and rate helpful posts

Rashmy Abraham
Cisco Employee
Cisco Employee

Hi, 

Are there any recommendations for migrating from a policy-based VPN to a route-based VPN on an ASA or an FMC? Route-based VPNs are highly recommended to easily set up SD-WAN networks, and have a lot of advantages compared to policy-based VPNs on the ASA and FMC.

I am a technical writer for ASA and FMC VPN features and we are trying to compile a list of recommendations for our customers on how to migrate  policy-based VPN to route-based VPN.

Any pointers would be great.

Thanks,

Rashmy

 

 

@Rashmy Abraham, since you're from Cisco, can you tell us whether NAT on SVTI tunnels is officially supported or not, taking into consideration the following defect:

CSCvm78941 ENH: Ability to configure NAT for VTI interface

 

Review Cisco Networking for a $25 gift card