05-23-2023 03:04 PM
Hello, Cisco Gurus!
Anyone setup route-based IPSec tunnel on the same ASAv that hosts multiple policy-based S2S VPN's? Cisco says it's possible, but didn't provide any best practices. Specifically, we're interested in placing our internal sources (which are many) behind NAT, so the peer has only one or two IP's to route VPN traffic to.
Thanks in advance!
05-23-2023 03:19 PM
I dont get it'
Route based vpn and policy based vpn
And NATing of local lan' can you more elaborate.
05-23-2023 03:40 PM
Our ASAv hosts multiple policy-based (crypto maps) VPN tunnels. One of the remote peers switched to route-based VPN and wants us to do the same for them. So, we need to stand up VPN to this new route-based peer on the same ASAv.
Cisco said it's possible with VTI and referred us to this doc. Now, we've never done this before and, therefore, asking for any pointers. Like, we have many different sources (cloud, MPLS, user VPN) that need to connect to the resources across this new route-based tunnel. Can we place them behind PAT, like so: nat (any,outside) source dynamic RFC1918 PAT destination static DST-IP_INT DST-IP_EXT? Where DST-IP_INT = our internal IP from the outside subnet, and DST-IP_EXT = host IP on the client side.
05-23-2023 03:54 PM - edited 05-30-2023 07:54 AM
checking
05-23-2023 04:27 PM
Not sure what you mean by saying that ASAv doesn't support NATing for VPN. Currently, our ASAv has multiple policy-based tunnels with tons of NAT's. In fact, NAT's (and corresponding DNS names) are our cheap way of routing to the tunnel interface.
We are not trying to connect a policy-based peer to a route-based peer, as we already tried that and failed.
We need to configure our ASAv for a route-based tunnel while not impacting existing policy-based tunnels. We will be following that Cisco article in setting up VTI and necessary routes on ASAv, but wanted to confirm if PAT/NAT will work as our sources are many. Did you ever do that?
05-24-2023 03:53 AM
if you put the nat rule as (any,outside) and do a packet tracer you will see it may go down to the interface. as VTI interface does not show up in nat rule. by define any might save you and do the trick.
05-24-2023 04:23 AM - edited 05-30-2023 07:55 AM
checking
05-24-2023 04:54 AM
I have never needed to set this up for a VTI tunnel on an ASA, but you might be able to NAT the traffic using (any,any) interface specification. just be sure to identify the source and destination original and translated IPs so you do not match on the wrong traffic.
03-31-2024 10:20 PM - edited 03-31-2024 10:20 PM
Hi,
Are there any recommendations for migrating from a policy-based VPN to a route-based VPN on an ASA or an FMC? Route-based VPNs are highly recommended to easily set up SD-WAN networks, and have a lot of advantages compared to policy-based VPNs on the ASA and FMC.
I am a technical writer for ASA and FMC VPN features and we are trying to compile a list of recommendations for our customers on how to migrate policy-based VPN to route-based VPN.
Any pointers would be great.
Thanks,
Rashmy
04-01-2024 07:23 AM
@Rashmy Abraham, since you're from Cisco, can you tell us whether NAT on SVTI tunnels is officially supported or not, taking into consideration the following defect:
CSCvm78941 ENH: Ability to configure NAT for VTI interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide