Solved: Re: AnyConnect VPN behind NAT device

Phillip Simonds · ‎10-31-2017

Hi all,

I have a customer who would like to put an ASA (vpn_asa) behind another ASA (outside_asa) that attaches to the internet, and use the vpn_asa to offload VPN connections. There are architectural reasons they want to do so, which we're talking through the caveats of. The primary reason they'd like to do this instead of attaching both ASAs directly to the internet is because they have a bunch of resources that can only be accessed via the internet routable IP of the outside_asa. Introducing the architectural complexities of using the vpn_asa behind the outside_asa has been deemed as a worthy trade off to the administrative/troubleshooting overhead of making these services accessible via a different IP, at least in the short term.

My question is, can we terminate AnyConnect VPN connections into an ASA that's behind NAT. I know we can use NAT-T to do so with L2L VPNs, and similarly I believe we should just be able to forward connections to 443 on TCP and UDP (DTLS) to the inside_asa - but I'm wondering if we'll run into issues with certificates or anything else. Input appreciated :).

Rahul Govindan · ‎11-01-2017

As long as your outside ASA is not listening on port 443 (webvpn or https server enabled), this should be possible. I believe the ASA automatically reserves the port 443 from NAT when it starts to listen on that port. You could have the VPN users come to https://<outside-ASA-ip>:8443 and port forward 8443 on the outside to 443 on the inside. You would not need to add the outside ASA's FQDN in the SAN on the VPN cert, it really should never respond to tcp or udp 443 in this case.

View solution in original post

Rahul Govindan · ‎10-31-2017

I do not see any obvious caveat to this approach. If you are using the outside ASA's WAN ip address and port forwarding only TLS and DTLS ports, be aware that any port 443 services on the outside ASA would cause a conflict (including any servers using the ASA's ip address and 443 port). If you use a different WAN ip address in the public ip space and do a static 1-1 NAT for the VPN ASA's WAN ip address, this wont be a concern.

Another approach is to terminate both ASA's on the WAN and connect the inside of the VPN ASA to a new "VPN" interface of the outside ASA. This would still achieve what the customer is looking for and eliminate the need for a particular NAT on the outside ASA for the VPN ASA.

Phillip Simonds · ‎10-31-2017

Hi Rahul, thanks for the feedback.

So you don't see any certificate issues? Do I need to put multiple IPs (one for external ip of outside_asa, one for external ip of vpn_asa) into the SAN field in the CSR I submit to our cert provider?

I don't think the second option you specified is viable as, in order to share the internet-routable IP of the outside_asa, the inside_asa's default route must point towards the internal (or dmz) address of the outside_asa for internet bound traffic, which would then be NAT'd to an ip on the internet facing interface of the outside_asa and routed to the ISP in that direction. I don't think it would make much sense to put the vpn_asa directly on the internet unless we can use different internet routable IPs on both boxes, which our constraints prohibit us from doing.

Regards,

Phillip

Rahul Govindan · ‎11-01-2017

As long as your outside ASA is not listening on port 443 (webvpn or https server enabled), this should be possible. I believe the ASA automatically reserves the port 443 from NAT when it starts to listen on that port. You could have the VPN users come to https://<outside-ASA-ip>:8443 and port forward 8443 on the outside to 443 on the inside. You would not need to add the outside ASA's FQDN in the SAN on the VPN cert, it really should never respond to tcp or udp 443 in this case.