08-28-2020 02:06 AM
Hi
Can someone clarify for this for me please?
I plan on placing a pair of ASAv's in an environment to bring up an IPSEC VPN.
* Do I need a tunnel for each ASA, and an external IP address for each as well? If not, will the tunnel just fail from one ASA to the other like any other stateful flow?
* Does NAT work in the same way when sending traffic down the tunnel? i.e. can I hide traffic behind and IP in a pool or behind and interface as it leaves the ASA and goes down the tunnel?
Thank you!
Solved! Go to Solution.
08-28-2020 02:13 AM
Hi,
I assume you are setting up an Active/Standby HA pair? If so, no you don't require an explicit standby IP address. Upon failover the IP address will be assigned to the now primary unit.
Yes NAT works the same way in a VPN tunnel, usually it's recommended to define a NAT exemption rule to ensure traffic is not natted. If you do wish to NAT, then you'd need to ensure the crypto ACL that defines the interesting traffic refers to the NAT IP address rather than the real IP address(es).
HTH
08-28-2020 02:13 AM
Hi,
I assume you are setting up an Active/Standby HA pair? If so, no you don't require an explicit standby IP address. Upon failover the IP address will be assigned to the now primary unit.
Yes NAT works the same way in a VPN tunnel, usually it's recommended to define a NAT exemption rule to ensure traffic is not natted. If you do wish to NAT, then you'd need to ensure the crypto ACL that defines the interesting traffic refers to the NAT IP address rather than the real IP address(es).
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide