Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
10
Helpful
3
Replies

AnyConnect VPN not terminating on outside interface?

Go to solution
matty-boy
Level 1
Level 1

‎04-20-2020 04:25 AM

Hi all,

 

I have a customer with the following setup:-

 

A pair of ASAs connecting to an ISP via a /29 transit interface. Let's say the transit is 1.0.0.0/29

- The customer's default gateway is .1 (configured on the ISP equipment)

- The ASAs have .2 (active) and .3 (standby) configured on their outside interfaces

 

They also have a /26 subnet assigned to them by the ISP (let's say this subnet is 2.0.0.0/26). This subnet is not configured on any interface . The ISP is simply advertising this subnet via the next hop of the customer's ASAs (the 1.0.0.2 address on the active ASA). Currently the customer has NATs configured to allow their 10.x.x.x internal addresses to be NATed to 2.0.0.0/26. No problem here.

 

AnyConnect RAVPN is currently working fine, terminating on the outside interface.

 

Recently their ISP has told them they should not route traffic (including RAVPN termination) directly to/from their 1.0.0.0/29 transit subnet and that ALL traffic but be sourced from or destined to the 2.0.0.0/26 subnet. Any traffic that is to/from the 1.0.0.0/29 subnet is policed and the customer is experiencing a degradation of service because of this.

 

I can't see how we can do this for AnyConnect RAVPN. Surely this has to be enabled on the interface facing the incoming RAVPN connections. I don't think we can configure it on a DMZ interface (so the traffic has to go through the outside and terminate on the dmz interface). And I don't think ASA's support loopback addresses. Even if they did, I'm not sure how you would configured this.

 

Can anyone suggest how this can be done or simply tell me categorically that it can't be done?

 

Many thanks in advance,

Matt.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2020 07:16 AM

Hi,
No, I think you are correct, a VPN can only be terminated on an IP address assigned to an interface....this must be the interface closet to the source (the ingress interface), you cannot route through the outside interface and terminate on the dmz interface.

Yes, loopbacks are not supported on the ASA.

HTH

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to matty-boy

‎04-21-2020 08:06 AM

AFAIK it would only be possible by using a second ASA. For instance, spin up an ASAv in the DMZ and terminate the VPN on it. The existing ASA handles everything but the VPN.

Better answer is for them to find another provider who's not so difficult to work with.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎04-20-2020 07:16 AM

Hi,
No, I think you are correct, a VPN can only be terminated on an IP address assigned to an interface....this must be the interface closet to the source (the ingress interface), you cannot route through the outside interface and terminate on the dmz interface.

Yes, loopbacks are not supported on the ASA.

HTH

Go to solution
matty-boy
Level 1
Level 1
In response to Rob Ingram

‎04-20-2020 12:23 PM

Thank you RJI.

 

If anyone can think of a magic way of achieving this, please do let me know.

 

Thanks,

Matt.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to matty-boy

‎04-21-2020 08:06 AM

AFAIK it would only be possible by using a second ASA. For instance, spin up an ASAv in the DMZ and terminate the VPN on it. The existing ASA handles everything but the VPN.

Better answer is for them to find another provider who's not so difficult to work with.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents