cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1388
Views
0
Helpful
5
Replies

STS TUNNEL SETUP

ray_stone
Level 1
Level 1

Hello Experts,

We need to create a STS tunnel with one of our client and they have the load balancer in front of their firewall and two ISP link are terminated on load balancer and load balance internal network is connected with firewall. Firewall interface which is connected with LB has private IP address assigned which is acting as a wan port and firewall has one internal face configured where the servers are placed so there are two natting here -one is at the firewall and second one is on LB. LB has the natting configured with public IPs of ISPs and both ISPs IP being terminating on LB -not on firewall. Now we need to establish a STS tunnel with client firewall where the public not being terminated so it possible that the private IP of outside interface of firewall I do the nat on LB with public IP and then create a tunnel on firewall. Would it work? Please explain in details if it works or not.

Thanks

Sent from Cisco Technical Support iPhone App

5 Replies 5

ray_stone
Level 1
Level 1

Can somebody response on this ?

Sent from Cisco Technical Support iPhone App

Hi Ray,

I hope it should work if you do one to one NAT on loadbalancer with a public IP to private IP of the firewall outisde interface and having a rule that should allow the required traffic to the firewall outside IP or any any rule set for the NAT. i.e. which should not block any traffic towards the firewall outside IP.

Client end (Public IP) --> ISP -->  LB(Public to Private IP NAT towards firewall Interface) --> ASA(configured with the private IP as its outside & VPN peer ip as it is.

Let me go through some scenarios and possibly can confirm you on the same...

Regards

Karthik

ray_stone
Level 1
Level 1

Please confirm if it works. I tested out this but unfortunately it's not working.

Sent from Cisco Technical Support iPhone App

Can somebody please provide more inputs on this.

Thanks.

Hi Ray,

I am not sure whether i understood your requirement correctly but this what i understood that your remote site have a loadbalancer with 2 ISP to share the load.  The firewall's outside interface has a private IP which is connected on the inside of the LB and LB is doing the NATTING.

Unfortunatley VPN doesn't work with Load balacing.

Thanks

Jeet

Review Cisco Networking for a $25 gift card