Richard Burts

First a question about the config that you suggest: interface inside usually has security level of 100. Did you intend to make its security level the same as the outside interface?

i can change it to 100 but is there any issue to make it level 0 same as outside ifc?

I was not aware of the licensing aspect of the vpn. If you do not have appropriate licensing on the router and do have appropriate licensing on the ASA then it makes good sense to have the vpn on the ASA. If the vpn will be on the ASA then I do not see any reason to have the Public IP on the router. The Public IP and the logic for the vpn should be configured on the 

yes im using evaluation security license on 2911 router so its better to make in on ASA as im having already 3 yrs period of license 

now if i put the public ip on the asa so it should be assign on outside interface ?

and as u know my main concern is that asa ifc not accepting primary ip (for public) & secondary ip ( for route transition with isp router ) so that why im asking where should i put the public ip address ? if possible to leave the public ip on the router ifc which facing the inside asa ifc or as u said i can make loopback 0 adn assign the public on it and create static route on asa pointing to the public network ?

then i dont know of the tunnel will be working fine on asa after that of not ? 

First let me clarify the setting of the level of the interfaces. By default the ASA implements some security policies:

- by default outside interface is 0 (can be changed to any value you choose - if there is some reason to want to change it)

- by default inside is 100 (can be changed to any value you choose - if there is some reason to want to change it)

- by default packets originated on a higher level interface will be sent to a lower level interface (can be changed by configuring access lists etc)

- by default packets originated on a lower level interface will not be sent to a higher level interface (can be changed by configuring access lists etc)

- by default packets originated on an interface will not be sent to another interface with the same level

So if you use the defaults then traffic originated from inside gets sent out (and responses are accepted - this is sometimes referred to as stateful inspection) but traffic originated from outside is not sent to inside. This default security policy generally works pretty well for most people and makes it easier to configure and operate the ASA. When you do not use the defaults then configuring and operating the ASA becomes more complicated. That is why I asked if it was intentional to change the level of inside interface. If there is a reason for it then it is certainly possible to use inside with level 0. But if there is not a particular reason to use level 0 then why make things more complicated?

Then let me try to clarify the Public IP and vpn. In general when there will be vpn the Public IP is used as the source address for the vpn session. And so the Public IP is generally configured on the device where the vpn will be configured. (there are options when the source for the vpn is a private IP, but these are less common and are more complicated to configure). So if the licensing issues mean that the ASA should be where the vpn is configured then it makes sense that the ASA should be where the Public IP is configured. The ASA does not support secondary addressing so it is not possible to assign the Public IP as secondary on the outside interface, but it should be possible to configure another interface on the ASA with the Public IP and then configure the vpn to use this as the source address. 

Richard Burts

it should be possible to configure another interface on the ASA with the Public IP and then configure the vpn to use this as the source address. 

i have question on this ?!

i already configured new ifc interface GigabitEthernet1/3 on asa as below with public ip address and removed from 2911 router and change the source on vpn setup but this interface need to connected by physical network cable and the other end should be connected to where ?

the interface as attached pic is down with orange color (means not connected) so where should i connect this ifc to?

i have already connected the cable which have the internet service came from isp to the interface GigabitEthernet1/1 !!

please check below config :
ROUTER 2911:
-------------------
interface GigabitEthernet0/1
description connected to ASAiNSIDEiNTERFACE
ip address 10.246.14.207 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.246.14.208
--------------------------
ASA:
-------------------------
interface GigabitEthernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.4x.1xx.12 255.255.255.248
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.246.14.208 255.255.255.0

interface GigabitEthernet1/3
nameif vpn_public_ip
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 154.2xx.1xx.129 255.255.255.240
ipv6 address autoconfig
ipv6 enable

route outside 0.0.0.0 0.0.0.0 10.4x.1xx.11 1 (next hope ip address on isp router)
route inside 10.246.0.0 255.255.240.0 10.246.14.207 1 (local network id)

Richard Burts

it should be possible to configure another interface on the ASA with the Public IP and then configure the vpn to use this as the source address. 

i have question on this ?!

i already configured new ifc interface GigabitEthernet1/3 on asa as below with public ip address and removed from 2911 router and change the source on vpn setup but this interface need to connected by physical network cable and the other end should be connected to where ?

the interface as attached pic is down with orange color (means not connected) so where should i connect this ifc to?

i have already connected the cable which have the internet service came from isp to the interface GigabitEthernet1/1 !!

please check below config :
ROUTER 2911:
-------------------
interface GigabitEthernet0/1
description connected to ASAiNSIDEiNTERFACE
ip address 10.246.14.207 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.246.14.208
--------------------------
ASA:
-------------------------
interface GigabitEthernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.4x.1xx.12 255.255.255.248
ipv6 address autoconfig
ipv6 enable
!
interface GigabitEthernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.246.14.208 255.255.255.0

interface GigabitEthernet1/3
nameif vpn_public_ip
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 154.2xx.1xx.129 255.255.255.240
ipv6 address autoconfig
ipv6 enable

route outside 0.0.0.0 0.0.0.0 10.4x.1xx.11 1 (next hope ip address on isp router)
route inside 10.246.0.0 255.255.240.0 10.246.14.207 1 (local network id)

Richard Burts

may i have your recommendation on my last reply at your last answer 

if you can check my answer and attached pic for asa

thanks

amr alrazzaz

After some time away I have taken a fresh look at the entire discussion. I would like a better understanding of why the router interface is configured with a primary and a secondary IP address. You have indicated that the Public IP was for the VPN. I am not clear why there is also a private IP and what function it provides. Can you provide clarification on this?

I am thinking about the fact that you want to have the VPN on the ASA and understand the licensing aspect of it. The typical configuration of site to site VPN on ASA uses the Public IP on the outside interface and as the source address for the VPN, as was suggested by @Georg Pauwen. I am thinking that this might be a good approach for your implementation. What things were done with the private IP and could those things be done with the Public IP?

actually ill take you to another issue which sudden happened to me and dont know why ?!!

I have a problem with deploying any changes to my  ASA5516-X and this happen suddenly and cant change the configurations or do any changes ?? It is failing with any changes, regardless what I try. The deployment always fails and I do not know how to get out of this situation without consulting you experts!

I have below weird msg when im trying to login to asa using ssh

Last login: Tue Jan 5 13:53:29 UTC 2021 from 10.246.14.222 on pts/0

Copyright 2004-2019, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.5.0 (build 4)
Cisco ASA5516-X Threat Defense v6.5.0 (build 115)

You have logged in while system startup is in progress. Please wait, some feature may be unavailable until startup is complete.

GCAI01-Firepower# show version
---------------[ EGCAI01-Firepower ]----------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.5.0 (Build 115)
UUID : 2edfecc2-e0fc-11ea-8172-ea9e617e90fb
Rules update version : 2019-08-12-001-vrt
VDB version : 309
----------------------------------------------------

another thing maybe it help:

- i cant configure new local use with below error :

> configure user add munir config
Enter new password for user munir:
Confirm new password for user munir:
Couldn't connect to DB at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/Permission.pm line 710.

Printing stack trace:
called from /ngfw/usr/local/sf/lib/perl/5.10.1/SF/Permission.pm (710)
called from /usr/local/sf/bin/cli_usrmgr (322)
called from /usr/local/sf/bin/cli_usrmgr (781)

- also i can even take backup from ASA !!! (nothing deployed on the asa or any changes i made its not saved after deployed )

I am not clear what is the explanation for the errors you are encountering. This is what I would suggest:

- if this is under maintenance with Cisco then I would open a case with Cisco TAC.

- you might try power cycle and see if it runs clean after booting up.