02-21-2020 08:38 AM - edited 02-21-2020 09:09 AM
I'm working on my first LIVE IPSEC tunnels. Attached is my network design. Site A is our primary site with all the resources. Site B is currently connected to Site A using a Layer 2 MOE connection. I'm eliminating the L2 MOE for a Business Cable GigE config. Users at Site B and Site C need access to the resources at Site A. (Domain Login etc.) Otherwise, each site connects directly to the internet via their own POP.
I'm currently trying to get Site C to connect to Site A via IPSEC. The firewall outside address is an unroutable address. In all the labs, none actually emulate a real world scenario where the firewall sits behind a Customer Edge Router (Defense in Depth). Either the firewall is directly connected to eachother and can ping "connected" devices. Or, the emulation fails to represent real world sites connected via real world internet. So, yes, I had bench tested this config. It worked. Once I put it in real world scenario, I can't ping the outside of the distant firewall.
Could I, 1, create a static route on Site_A firewall for 10.200.0.10 255.255.255.255 50.79.222.XXX? or, 2, do I need to move my Firewalls outside my CE_RTRs? (I believe I can bridge my ISP_RTR so I can hit a public IP to my first device after my ISP_RTR). Or, eliminate the CE_RTR all together and use the firewall as my CE_RTR?
02-21-2020 11:58 AM
Hello,
I assume the CE devices are doing the NAT...
I think it it possible to terminate the VPN on the firewall by exempting the ASA IP address from being translated. I'll need to lab this up, will get back with you...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide