04-20-2020 04:25 AM
Hi all,
I have a customer with the following setup:-
A pair of ASAs connecting to an ISP via a /29 transit interface. Let's say the transit is 1.0.0.0/29
- The customer's default gateway is .1 (configured on the ISP equipment)
- The ASAs have .2 (active) and .3 (standby) configured on their outside interfaces
They also have a /26 subnet assigned to them by the ISP (let's say this subnet is 2.0.0.0/26). This subnet is not configured on any interface . The ISP is simply advertising this subnet via the next hop of the customer's ASAs (the 1.0.0.2 address on the active ASA). Currently the customer has NATs configured to allow their 10.x.x.x internal addresses to be NATed to 2.0.0.0/26. No problem here.
AnyConnect RAVPN is currently working fine, terminating on the outside interface.
Recently their ISP has told them they should not route traffic (including RAVPN termination) directly to/from their 1.0.0.0/29 transit subnet and that ALL traffic but be sourced from or destined to the 2.0.0.0/26 subnet. Any traffic that is to/from the 1.0.0.0/29 subnet is policed and the customer is experiencing a degradation of service because of this.
I can't see how we can do this for AnyConnect RAVPN. Surely this has to be enabled on the interface facing the incoming RAVPN connections. I don't think we can configure it on a DMZ interface (so the traffic has to go through the outside and terminate on the dmz interface). And I don't think ASA's support loopback addresses. Even if they did, I'm not sure how you would configured this.
Can anyone suggest how this can be done or simply tell me categorically that it can't be done?
Many thanks in advance,
Matt.
Solved! Go to Solution.
04-20-2020 07:16 AM
04-21-2020 08:06 AM
AFAIK it would only be possible by using a second ASA. For instance, spin up an ASAv in the DMZ and terminate the VPN on it. The existing ASA handles everything but the VPN.
Better answer is for them to find another provider who's not so difficult to work with.
04-20-2020 07:16 AM
04-20-2020 12:23 PM
Thank you RJI.
If anyone can think of a magic way of achieving this, please do let me know.
Thanks,
Matt.
04-21-2020 08:06 AM
AFAIK it would only be possible by using a second ASA. For instance, spin up an ASAv in the DMZ and terminate the VPN on it. The existing ASA handles everything but the VPN.
Better answer is for them to find another provider who's not so difficult to work with.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide