02-02-2017 02:29 AM - edited 03-12-2019 01:52 AM
Hi All,
I was hoping someone could explain this to me or set me straight. We have a Cisco ASA 5525X (running 9.2) and are in a good position where we can use real IP addresses. What I am hoping to do is a Hairpin Scenario.
People will connect to a Real IP on the outside interface, get a VPN Pool address (from a pool of REAL IP addresses) and get routed back out the same interface with the use of identity NAT.
I have got this to work using Dynamic PAT and a static route but my IP address when connecting to servers/internet showing as the outside Interface IP.
object network VPN-General
subnet 137.X.X.X 255.255.255.192
nat (any,Outside) source dynamic VPN-General interface
route Outside 0.0.0.0 0.0.0.0 <gateway of Outside Int IP> 1
I have been reading and tried alot of examples but is it possible to get a REAL VPN Pool address and when leaving the ASA via the Outside Interface, keep my pool address.
Thanks
N
02-09-2017 12:56 AM
Hi Marius,
Yes, it usesreal IP addresses for its pools.
It has static route, routing this to the outside interface IP and the forementioned nat rules. I will try some more things here to see if i can find out whats going on.
Thanks
02-09-2017 01:47 AM
Then this is where your problem is. If the 137.x.x.x VPN pool is used on the older ASA, this means that your ISP is routing the 137.x.x.x subnet to the older ASA. There for return traffic that you are testing on the new ASA will be redirected to the old ASA. I am betting that if you check the logs on the older ASA you will see drops for this traffic (most likely no connection drops).
--
Please remember to select a correct answer and rate helpful posts
02-09-2017 02:29 AM
Hi Marius,
Unfortunately the real ips on the old asa are in a different subnet to the ones on the new one, so the networks are not duplicated.
Thanks
02-09-2017 02:33 AM
You still need to check with your ISP that the 137.x.x.x network is routed toward the correct ASA.
--
Please remember to select a correct answer and rate helpful posts
02-10-2017 07:30 AM
Hi Marius,
Thanks for that. I will try adding the VPN Pool Network as a Routed VLAN on our core and see if that helps. This way, i think i wont have to do nat. You will connect on the outside interface, get a Real IP and we will then have a routed network it now. I will let you know how this goes.
Thanks
02-10-2017 11:07 AM
Do you mean that you will add an interface with an IP within the range? If so, this will not solve the problem. The problem is that your ISP is most likely routing the subnet towards the wrong ASA.
--
Please remember to select a correct answer and rate helpful posts
02-13-2017 07:43 AM
Hi,
To clarify, when i said i wanted to replicate the old ASA, i meant by design. I am using different pools of Real IP addresses on each of them. I am aware that having the same IP pools on both ASAs would lead to routing issues, so I avoided that from the start. I deciced to do away with NAT and instead i cabled up another one of the ports on the ASA to our core.Now the 137.X.X.X/26 is a routed interface on our core too. So when you connect to the outside interface, you get a Real address from the 137.X.X.X/26 pool and now we have an interface in this VLAN, so all is working perfectly.
Thanks to all for taking a look at this
02-02-2017 12:30 PM
It sounds like you want to tunnel all traffic through the VPN and allow internet access?
If so, this is a very common setup and can be done with a dynamic NAT statement and the same-security permit intra-interface commands.
If the VPN pool is a public IP subnet, then just make sure that this subnet is routed to the ASA outside interface.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide