Solved: Re: Cisco ASA (9.12) Site to Site VPN termination using IP from alternate IP address.

imdoody · ‎10-22-2020

I have quite a few Site to site VPNs configured and working just fine. However, they all terminate on the OUTSIDE ip of the ASA.
We also have 2 public subnets allocated to us a /28 and /26. I am aware how to NAT those IPs to internal hosts in DMZ, no problem.
But I'm struggling how to use an IP from those other Subnets as the listener (aka the Peer address the remote device will connect to) What am I missing here?

The other 2 subnets are advertised from our OUTSIDE interface. and public routing and internal static NATs are working correctly.

Example (using private IPs rather than our actual Public IPs):
OUTSIDE interface IP: 10.10.10.230/30

Other subnets: 172.16.1.64/28

172.16.2.128/26

Would like to use 172.16.2.145 for the VPN tunnel
I hope this is all clear enough, I can provide more info if required.

Rob Ingram · ‎10-22-2020

No, you cannot, you have to use the IP address assigned to the physical interface to source/terminate a VPN tunnel.

If you were using a router, you could do what you require, by using a loopback interface...but this is not possible on an ASA.

View solution in original post

MHM Cisco World · ‎10-22-2020

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.pdf

imdoody · ‎10-22-2020

MHM,

While that document is definitely very helpful, and I have never run across it before. It does not solve the problem I'm having. In the scenario document, each of the tunnel destinations are the IP address of the specific OUTSIDE interface of the remote ASA.

What I'm having trouble understanding is whether or not I can use an IP from a subnet that is registered to us, but NOT the OUTSIDE interface IP, nor even in the same subnet.

For Example,

If I wanted ASA Left to accept/Route the VPN connection using an IP like 197.52.99.145/26 which is routed through the outside interface of ASA left (198.51.100.129/30)

Then the tunnel for ASA Right, would look like this:

nameif tuna

ip address 10.1.1.1 255.255.255.0

tunnel source interface ispa

tunnel destination 197.52.99.145

tunnel mode ipsec ipv4

However when I've tried this I can't get the Tunnel to come up. My NAT normally looks something like
nat (inside,outside) source static Local Local dest remote remote route-lookup no-proxy arp
But how would the traffic know to use/Listen on the 197.52.99.145 IP address on the outside interface?

Rob Ingram · ‎10-22-2020

No, you cannot, you have to use the IP address assigned to the physical interface to source/terminate a VPN tunnel.

If you were using a router, you could do what you require, by using a loopback interface...but this is not possible on an ASA.

imdoody · ‎10-22-2020

Rob,

Thank you very much for the info! I kind of glad I was not just being dumb and missing something stupid.

Have a good one.

MHM Cisco World · ‎10-22-2020

there are two VPN
policy-based VPN & route-based VPN
we have two outside one primary and other is backup.
we normally config the VPN under outside interface (two if there is dual ISP)
so why we use VTI??
we use VTI do go from policy-based VPN to route-based VPN.

VTI tunnel destination routed through the tunnel source and we protect this interface with IPSec.

so according to this info. you can use VTI with ASA
and please share more detail why the tunnel is not up.