VPN Behind another External interface

pchelisant · ‎12-24-2012

Dears!

Im facing the the problem..

i have an ASA 5510

My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)

Assume that non routable network is a.a.a.a and routable is b.b.b.b

so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1

Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA

As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP)

So the problem:

For my international partners i need to provide VPN.

So the traffic flow is the following:

For exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1

The packet arrives to interface a.a.a.1 and............. Being discarded.

7

Dec 24 2012

11:09:47

710005

1.1.1.1

62548

b.b.b.1

10000

TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000

I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.

Am i right?

Also i tried to setup a bypas policy, but no effect

Who can point me how to resolve this problem?

Harish Balakrishnan · ‎12-24-2012

Hello,

This is by design.. ASA doesnt allow communication to an interface IP address if the traffic is comuning from a different interface.In my opinion what you should do is to give b.b.b.1 IP address on your outside interface and let your VPN partners to establish your VPN to that IP.. Else Let your provider to route a.a.a.a globally

regards

Harish

pchelisant · ‎12-24-2012

Yes i know that ASA doesnt allow. But... Maybe there is a way to workaround this..

Because its not possible to route it globally. (already asked ISP for this)