Re: SSL VPN via BGP

Whoops · ‎02-09-2022

We have 2 ISP BGP peers (1.1.1.1, AS111; 2.2.2.2, AS222), ASA 5515-X (9.12.4.18), own public network (192.0.2.0/24, AS333).

We need to have SSL VPN (and s2s too) be configured on this device, but on our IP-addresses, not ISP.

Config be like:

router bgp 333
 bgp log-neighbor-changes
 bgp router-id 192.0.2.1
 timers bgp 5 15 0
  address-family ipv4 unicast
  neighbor 1.1.1.1 remote-as 111
  neighbor 1.1.1.1 ebgp-multihop 3
  neighbor 1.1.1.1 activate
  neighbor 2.2.2.2 remote-as 222
  neighbor 2.2.2.2 ebgp-multihop 3
  neighbor 2.2.2.2 activate
  network 192.0.2.0
  no auto-summary
  no synchronization
  exit-address-family
!
interface GigabitEthernet0/0
 nameif ISP1
 security-level 0
 ip address 1.1.1.0 255.255.255.254
!
interface GigabitEthernet0/1
 nameif ISP2
 security-level 0
 ip address 2.2.2.3 255.255.255.254
!
interface GigabitEthernet0/2
 nameif public
 security-level 50
 ip address 192.0.2.1 255.255.255.0
!
webvpn
 enable public
 anyconnect enable
!
crypto ikev2 enable public

But ASA blocks connections to interface named public if it comes from other interface by default design.

Is it possible to access remote vpn (and s2s) by ip 192.0.2.1 via ISP* (from internet)?

MHM Cisco World · ‎02-09-2022

can you draw the topology ?

Rob Ingram · ‎02-09-2022

@Whoops If I understand you correct, then no. You've got to enable the VPN on the internet facing interface, you cannot route through the ASA and terminate the VPN on another interface.

Whoops · ‎02-09-2022

So... I can't use ASA as border and VPN gateway on my IP together?

MHM Cisco World · ‎02-09-2022

you must sure that the ISP advertise your PI space, and then
divide this PI space into two prefix one for each ISP.
after that use one IP for each space as public ip for SSL VPN.