Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
4
Helpful
6
Replies

Getting VPN to work on a different Edge

Go to solution
Kevin Melton
Level 2
Level 2

‎11-25-2014 08:44 AM - edited ‎03-10-2019 12:29 PM

Forum

 

Recently a Customer of mine upgraded their existing ASA's to ASA-X models.  I have configured and have installed the new Failover Pair.

This is cool, but not really the issue.

The former ASA 5510 models had Anyconnect licensing on them.  I am not able to take the licensing from the legacy ASA 5510 and put it on the ASA-5515X models, which means that the customer would have to purchase additional VPN licensing, and they are not willing to do that.

I have placed the legacy ASA on another circuit, which is effectively the backup Internet DSL circuit for the facility if the main one fails.

Since I have EIGRP advertising a default route from the Main Circuit, I now have the challenge of having VPN traffic being returned out the way it came, vs . heading out the side that the default route would have it go.

I am running EIGRP 100 on these devices.

I have also included a diagram.

Thanks for any suggestions!

 

Labels:
Preview file
251 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin Melton

‎11-25-2014 01:10 PM

Kevin

 

It seems to me that an ASA with a single Public IP for its outside interface is not so unusual. And I certainly think it should be pretty easy to configure. Perhaps I did not correctly understand what you are trying to do. I assumed that the new ASAs pair was handling most of the network traffic and that the Legacy ASA was used for AnyConnect VPN. Is that not the case? If it is the case then why do you still need multiple inside VLANs on the Legacy ASA? And even with multiple VLANs on the ASA it should be quite possible to do address translation using the single Public IP on the outside interface.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-25-2014 09:09 AM

Kevin

 

There may be aspects of your environment that I do not yet understand that impact how this would work. But it seems to me that if the legacy ASA is configured with a pool of addresses which is unique within your network, that it should not be too difficult to achieve what you need. When a users outside connects with AnyConnect they are assigned an IP from the address pool. Now when they send traffic to resources within your network the source address will be the pool address. So when the inside resource sends a response the destination would be the pool address and your network should return that traffic to the Legacy ASA rather than forwarding to the default route. I implemented something quite similar to this for a customer and it worked quite well for them.

 

HTH

 

Rick

HTH

Rick

Go to solution
Kevin Melton
Level 2
Level 2
In response to Richard Burts

‎11-25-2014 09:51 AM

If what you have said is valid, then perhaps I do not have the issue that I think that I do.

I will follow up and let you know if this works.

Thank You!

 

0 Helpful

Go to solution
Kevin Melton
Level 2
Level 2
In response to Richard Burts

‎11-25-2014 11:21 AM

Richard

On the circuit where I have moved the legacy ASA with the VPN licensing to it, there is only the 1 public IP address.

I have not ever configured an ASA to only use 1 public IP.  Is there some command , similar to "interface" which will translate everything?

I have multiple inside Vlans, so I need to determine:

can I use just one translation for all vlans?

or do I have to create a separate global PAT for each of them?

 

Thank You

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin Melton

‎11-25-2014 01:10 PM

Kevin

 

It seems to me that an ASA with a single Public IP for its outside interface is not so unusual. And I certainly think it should be pretty easy to configure. Perhaps I did not correctly understand what you are trying to do. I assumed that the new ASAs pair was handling most of the network traffic and that the Legacy ASA was used for AnyConnect VPN. Is that not the case? If it is the case then why do you still need multiple inside VLANs on the Legacy ASA? And even with multiple VLANs on the ASA it should be quite possible to do address translation using the single Public IP on the outside interface.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Kevin Melton
Level 2
Level 2
In response to Richard Burts

‎11-26-2014 03:46 PM

 Perhaps I did not correctly understand what you are trying to do. I assumed that the new ASAs pair was handling most of the network traffic and that the Legacy ASA was used for AnyConnect VPN. Is that not the case? If it is the case then why do you still need multiple inside VLANs on the Legacy ASA? And even with multiple VLANs on the ASA it should be quite possible to do address translation using the single Public IP on the outside interface.

Thanks for your reply.  Perhaps it is not unusual for an ASA to use the interface address for everything, I had simply not ever configured it that way before, as I have always had available addresses in a public pool each other time.   I did figure out how to accomplish the task.  There are not multiple VLAN's on any of the ASA's, as they all route to our Core (router on a stick).  I simply had to get EIGRP working but had to weigh the default route coming from that side so that it was not preferred but rather became a feasible successor.

All is configured and working now.  Thanks again for your help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kevin Melton

‎11-26-2014 11:56 PM

Kevin

 

I am glad that it is configured and working now. Thank you for posting back to the forum to let us know that it is working and that getting EIGRP working was a key element in finding the solution. Thank you for using the rating system to mark this question as answered as this helps other readers in the forum to find information that is helpful.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card