Solved: ASA A/S Site to Site VPN

anthonykahwati · ‎08-28-2020

Hi

Can someone clarify for this for me please?

I plan on placing a pair of ASAv's in an environment to bring up an IPSEC VPN.

* Do I need a tunnel for each ASA, and an external IP address for each as well? If not, will the tunnel just fail from one ASA to the other like any other stateful flow?

* Does NAT work in the same way when sending traffic down the tunnel? i.e. can I hide traffic behind and IP in a pool or behind and interface as it leaves the ASA and goes down the tunnel?

Thank you!

Rob Ingram · ‎08-28-2020

Hi,

I assume you are setting up an Active/Standby HA pair? If so, no you don't require an explicit standby IP address. Upon failover the IP address will be assigned to the now primary unit.

Yes NAT works the same way in a VPN tunnel, usually it's recommended to define a NAT exemption rule to ensure traffic is not natted. If you do wish to NAT, then you'd need to ensure the crypto ACL that defines the interesting traffic refers to the NAT IP address rather than the real IP address(es).

HTH

View solution in original post

Rob Ingram · ‎08-28-2020

Hi,

I assume you are setting up an Active/Standby HA pair? If so, no you don't require an explicit standby IP address. Upon failover the IP address will be assigned to the now primary unit.

Yes NAT works the same way in a VPN tunnel, usually it's recommended to define a NAT exemption rule to ensure traffic is not natted. If you do wish to NAT, then you'd need to ensure the crypto ACL that defines the interesting traffic refers to the NAT IP address rather than the real IP address(es).

HTH