Re: ASA Site-to-Site VPN over Carrier Grade

bpam · ‎11-21-2022

Good Day,

I am switching Internet providers and the way it connects to my network is using Carrier Grade NAT on the 100.66.0.0-100.66.0.255 network and they then distribute a publicly routable /27 via BGP. This works well for NATted and DMZ hosts however I am unable to get any point-to-point VPNs up between any of my offices and it looks like the cause is due to the ISP filtering UDP port 500.

Is there any way possible to have site-to-site LAN setup using a single ASA? I was thinking perhaps I could assign one of my public IPs to a loopback interface and then NAT that address to try and establish connectivity.

Any help would be appreciated

balaji.bandi · ‎11-21-2022

if the ISP filtering then you need to contract ISP for the requirement.

you can run the debug and see what error messages and failing cause before you contact ISP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎11-22-2022

can you more elaborate what is private and what is public here in your topology.

bpam · ‎11-22-2022

I've attached a very basic diagram.

Our ISP is providing connectivity via 100.66.0.129/100.66.0.130 addresses and is publishing a default route to us via BGP neighborship, we are publishing our public network 83.59.21.96/27. I have been unsuccessful in setting up a VPN tunnel through the provider network to one of my public IP addresses. I have a PC setup on a private LAN and can reach the Internet and I have been able to get a server up on a public address and I can access those services as well, the issue seems to be UDP/ESP related as connections over TCP appear to be fine.

This is why I was thinking that there is perhaps a way to encapsulate the tunnel on L3 of the network.

Thank you

bpam · ‎11-22-2022

Here are the debugs. Sorry for the format but the server I'm working on has no clipboard,

Thanks