Solved: ASA IPSEC/VPN termination

lmanavalan · ‎08-22-2018

Hi

I have couple of ASA 5520 configured as HA. The external IP is configured with Private IP and connected to the service provider router. We are Natting the Inside network to a pool of /29 Public ip address.

I need to configure a site to site vpn from the ASA to the cloud. What the choice i have to make this work. Do i have to reconfigure the external ip with the public ip and establish siteto to site vpn or is their any other options available.

Can i configure a loopback address on the ASA with Public IP and create a IPSEC tunnel using this IP address.

Regards

Logesh

Karsten Iwen · ‎08-23-2018

First, the ASA does not have the concept of Loopback addresses, so this is not an option.

For the easiest config and flexibility, it's best to have the public IP directly on the ASA outside interface. If you have a public network to configure between the router and the ASA, go for that.

If you have to stick to the private addresses on the ASA, configure a static port-forward on the router for UDP/500 and UDP/4500 and make sure the other device has NAT-T enabled. Perhaps you have to change the local IKE-identity on your ASA to something that your peer can match. But also behind a NAT, IPsec should work.

View solution in original post

Karsten Iwen · ‎08-23-2018

First, the ASA does not have the concept of Loopback addresses, so this is not an option.

For the easiest config and flexibility, it's best to have the public IP directly on the ASA outside interface. If you have a public network to configure between the router and the ASA, go for that.

If you have to stick to the private addresses on the ASA, configure a static port-forward on the router for UDP/500 and UDP/4500 and make sure the other device has NAT-T enabled. Perhaps you have to change the local IKE-identity on your ASA to something that your peer can match. But also behind a NAT, IPsec should work.