Re: ASA5508 L2 Tunneling type - Page 2

AirSail · ‎04-07-2023

Hello Design Gurus,

Looking for guidance here,

I have the below-simplified architecture, I want remote devices behind the ASA5508 to be part of HQ network,

is there a way extend L2 from HQ to branch ? I know you will tell be do GRE over IPSEC, but sounds GRE isn't supporte by ASA, other alternative ?

AirSail · ‎04-10-2023

@Gustavo Medina - this is interesting but at the same time confused,

if I understand, you think the resolution will be something like that,

ASA/SITE to SITE VPN setup with the Mikrotik and then let's say we have

object: local-subnet: 192.168.20.0/24

remote-subnet (target subnet we want to extend originally): 172.16.15.0/24

object host: nated-host: 172.16.15.10

Nat will look like this -

nat (inside,outside) source static local-subnet nated-host destination static remote-subnet remote-subnet no-proxy-arp route-lookup

the natted host belongs to the destination subnet, is this will work?

Gustavo Medina · ‎04-10-2023

You are translating a /24 subnet (192.168.20.0/24) to a single IP (172.16.15.10) so you would need to do a dynamic policy NAT. The problem would be the return traffic on the Mikrotik as you would need to force the hosts on the 172.16.15.0/24 subnet to send the traffic to the 172.16.15.10 through the tunnel. It would be cleaner to do the NAT on that side so that the Mikrotik translates the 192.168.20.0/24 network to 172.16.15.10 and the return traffic will be untranslated to 192.168.20.0/24 and sent through the tunnel.

AirSail · ‎04-10-2023

how Mikrotik will know about 192.168.20.0/24 ? basically, this subnet will be hidden by the ASA, and only 172.16.15.10 will be exposed to the tunnel,

as you said the problem will be on the returned traffic, 172.16.15.10 belongs to the mikrotik internal traffic, so how this will be send back over the tunnel?

have you tested that scenario before? I will curious to know if there is an article/guide about this use case,

Gustavo Medina · ‎04-10-2023

In the example I gave you the ASA would not be doing NAT, only the Mikrotik. It would receive the traffic with source 192.168.20.0/24 and perform PAT to it translating the source to 172.16.15.10. The return traffic from 172.16.15.0/24 to 172.16.15.10 will be sent to the Mikrotik, untranslated to the original 192.168.20.0/24 and sent back through the tunnel.

I wrote an article some time ago for some overlapping scenarios, it does not quite apply to your scenario but it should give you a better understanding of what can be done in terms of NAT.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

AirSail · ‎04-11-2023

Totally understood, means all NAT work will be done from the other side (Mikrotik side)

I'm thinking about this phrase "The return traffic from 172.16.15.0/24 to 172.16.15.10 will be sent to the Mikrotik"

how the network infrastructure behind the mikrotik will respond back 172.16.15.10 while this IP belong to same subnet, If i m not mistaken return traffic will not hit the mikrotik router, agree?

Gustavo Medina · ‎04-11-2023

Because when the Mikrotik router translates the source of the traffic from 192.168.20.0/24 to 172.16.15.10 it will use its own MAC address.

AirSail · ‎04-11-2023

@Gustavo Medina - Makes total sense!