02-09-2022 05:39 AM - edited 02-09-2022 05:41 AM
We have 2 ISP BGP peers (1.1.1.1, AS111; 2.2.2.2, AS222), ASA 5515-X (9.12.4.18), own public network (192.0.2.0/24, AS333).
We need to have SSL VPN (and s2s too) be configured on this device, but on our IP-addresses, not ISP.
Config be like:
router bgp 333 bgp log-neighbor-changes bgp router-id 192.0.2.1 timers bgp 5 15 0 address-family ipv4 unicast neighbor 1.1.1.1 remote-as 111 neighbor 1.1.1.1 ebgp-multihop 3 neighbor 1.1.1.1 activate neighbor 2.2.2.2 remote-as 222 neighbor 2.2.2.2 ebgp-multihop 3 neighbor 2.2.2.2 activate network 192.0.2.0 no auto-summary no synchronization exit-address-family ! interface GigabitEthernet0/0 nameif ISP1 security-level 0 ip address 1.1.1.0 255.255.255.254 ! interface GigabitEthernet0/1 nameif ISP2 security-level 0 ip address 2.2.2.3 255.255.255.254 ! interface GigabitEthernet0/2 nameif public security-level 50 ip address 192.0.2.1 255.255.255.0 ! webvpn enable public anyconnect enable ! crypto ikev2 enable public
But ASA blocks connections to interface named public if it comes from other interface by default design.
Is it possible to access remote vpn (and s2s) by ip 192.0.2.1 via ISP* (from internet)?
02-09-2022 05:58 AM
can you draw the topology ?
02-09-2022 06:26 AM
@Whoops If I understand you correct, then no. You've got to enable the VPN on the internet facing interface, you cannot route through the ASA and terminate the VPN on another interface.
02-09-2022 09:18 AM
So... I can't use ASA as border and VPN gateway on my IP together?
02-09-2022 08:34 AM
you must sure that the ISP advertise your PI space, and then
divide this PI space into two prefix one for each ISP.
after that use one IP for each space as public ip for SSL VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide