I am switching Internet providers and the way it connects to my network is using Carrier Grade NAT on the 100.66.0.0-100.66.0.255 network and they then distribute a publicly routable /27 via BGP. This works well for NATted and DMZ hosts however I am unable to get any point-to-point VPNs up between any of my offices and it looks like the cause is due to the ISP filtering UDP port 500.
Is there any way possible to have site-to-site LAN setup using a single ASA? I was thinking perhaps I could assign one of my public IPs to a loopback interface and then NAT that address to try and establish connectivity.
Our ISP is providing connectivity via 100.66.0.129/100.66.0.130 addresses and is publishing a default route to us via BGP neighborship, we are publishing our public network 18.104.22.168/27. I have been unsuccessful in setting up a VPN tunnel through the provider network to one of my public IP addresses. I have a PC setup on a private LAN and can reach the Internet and I have been able to get a server up on a public address and I can access those services as well, the issue seems to be UDP/ESP related as connections over TCP appear to be fine.
This is why I was thinking that there is perhaps a way to encapsulate the tunnel on L3 of the network.