Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
5
Helpful
4
Replies

Azure ASAv Question involving VPN and a VIP address

Go to solution
jamesholley
Level 1
Level 1

‎02-28-2023 04:13 AM

Hi guys

I have come up with a solution to get my Corporate traffic into Azure by way of a VPN, which will terminate on a HA pair of ASAv firewalls. I need to protect an HTTPS flow within the tunnel and have it decrypted on the ASAv.

The flow would be our Corp network as src address range to a VIP that will sit on both ASAv firewalls. The VIP is from the Azure public address ranges and has been created in Azure. A NAT rule will essentially take that input and convert the destination IP address from the VIP to the internal ip address of our ALB within Azure.

I haven't tested this yet, but I can't see anything that would stop this working, as because the traffic is coming to the ASAv from a VPN tunnel, i don't need the ASAv to arp for the VIP.

What do you all think?

Regards

 

 

James

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎02-28-2023 04:39 AM - edited ‎02-28-2023 04:39 AM

seem like it will work so you have a ALB as public IP addresses. the vpn tunnel will formed from remote side to ASAv where as for the presentation of ASAv ALB will be the outside (let say the point where the traffic vpn will terminate). yes sound like it will work.

please do not forget to rate.

View solution in original post

4 Replies 4

Go to solution
Sheraz.Salim
VIP
VIP

‎02-28-2023 04:39 AM - edited ‎02-28-2023 04:39 AM

seem like it will work so you have a ALB as public IP addresses. the vpn tunnel will formed from remote side to ASAv where as for the presentation of ASAv ALB will be the outside (let say the point where the traffic vpn will terminate). yes sound like it will work.

please do not forget to rate.

Go to solution
jamesholley
Level 1
Level 1
In response to Sheraz.Salim

‎02-28-2023 04:52 AM

Yes, the two ASAv are sat behind a PLB, which will pass IKE traffic through to the active ASAv.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to jamesholley

‎02-28-2023 04:57 AM

@jamesholley these two ASAv in ha pair? you mentioned the word active ASAv so i assume it HA pair. yes the sound of this would work.

please do not forget to rate.
0 Helpful

Go to solution
jamesholley
Level 1
Level 1
In response to Sheraz.Salim

‎02-28-2023 05:02 AM

Hi, yes, an HA pair working in active/standby mode.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card