10-31-2017 08:49 AM - edited 03-12-2019 04:41 AM
Hi all,
I have a customer who would like to put an ASA (vpn_asa) behind another ASA (outside_asa) that attaches to the internet, and use the vpn_asa to offload VPN connections. There are architectural reasons they want to do so, which we're talking through the caveats of. The primary reason they'd like to do this instead of attaching both ASAs directly to the internet is because they have a bunch of resources that can only be accessed via the internet routable IP of the outside_asa. Introducing the architectural complexities of using the vpn_asa behind the outside_asa has been deemed as a worthy trade off to the administrative/troubleshooting overhead of making these services accessible via a different IP, at least in the short term.
My question is, can we terminate AnyConnect VPN connections into an ASA that's behind NAT. I know we can use NAT-T to do so with L2L VPNs, and similarly I believe we should just be able to forward connections to 443 on TCP and UDP (DTLS) to the inside_asa - but I'm wondering if we'll run into issues with certificates or anything else. Input appreciated :).
Solved! Go to Solution.
11-01-2017 04:07 AM
10-31-2017 09:02 AM
10-31-2017 09:45 AM - edited 10-31-2017 09:46 AM
Hi Rahul, thanks for the feedback.
So you don't see any certificate issues? Do I need to put multiple IPs (one for external ip of outside_asa, one for external ip of vpn_asa) into the SAN field in the CSR I submit to our cert provider?
I don't think the second option you specified is viable as, in order to share the internet-routable IP of the outside_asa, the inside_asa's default route must point towards the internal (or dmz) address of the outside_asa for internet bound traffic, which would then be NAT'd to an ip on the internet facing interface of the outside_asa and routed to the ISP in that direction. I don't think it would make much sense to put the vpn_asa directly on the internet unless we can use different internet routable IPs on both boxes, which our constraints prohibit us from doing.
Regards,
Phillip
11-01-2017 04:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide