I'm looking for a smart way to achieve this configuration, the edge devices are both ASA 5520.
I would like to create 2 differents IPSEC tunnel:
- LAN1 <> LAN3 using PUBLIC_IP1
- LAN2 <> LAN3 using PUBLIC_IP2
The problem I have: the peer IP3 have only one IP, so it is the same peer address for the 2 differents. And, moreover, I don't know if is should be possible to use different route for a same peer...
Is anyone has an idea how to do it...?
Thanks a lot...
Sorry Erwan, but I don't think you will make it working.
You basically need two IP addressess on the LAN3 side. There is no policy based routing on ASA, so no way to achieve something like that.
There were people who were trying to do PBR through the NAT, but never heard of this magic really working for outgoing traffic. Especially from the box.
Thanks for you answer... Effectively, there no PBR on ASA...
What I'm asking, the LAN3 is a public network (routed address), don't you think that it could be possible to establish a tunnel from IP1/IP2 to the IP of LAN3 affected on the "lan" port of the ASA ...?
Alright so the key is that 3.0 needs to be addressed differently by 1.0 than 2.0 and ASA with dual ISPs needs to have something that'll tell it how to route when PBR is not an option
Here's what I believe should get it working. I haven't had a chance to test it out and if you can lab/implement it please let us know the reasults
on FW with dual ISPs:
static (ISP1,inside) 192.168.4.0 192.168.3.0 netmask 255.255.255.0
static (ISP2,dmz) 192.168.5.0 192.168.3.0 netmask 255.255.255.0
The hosts behind this dual ISP FW will need to address the remote (3.0) subnet using the above ips (4.0 and 5.0)
i.e when 192.168.1.5 wants to ping to 192.168.3.15 it actually needs to ping 192.168.4.15
when 192.168.2.5 wants to ping to 192.168.3.15 it actually needs to ping 192.168.5.15
and above statics will handle the natting and switch 4.15 and 5.15 to 3.15 and send it over
Since we have static (ISP1,inside) and static (ISP2,dmz) traffic will be sent over correct ISP depending on which subnet (1.0 or 2.0) it originates from
Yeah routing to 3.0 network you could do with NAT on >8.3. In configuration that you posted it is pre 8.3 and I am preety sure that traffic from 5.0 won't go to 3.0 through dmz since order of operations on ASA 8.2 is different (first route-lookup).
This part you could workaround with ASA > 8.3, but the biggest problem is that you would need to set up the same set peer IP3 in two crypto maps on two different interfaces. On ASA you can have only one route to one host, so there is no chance that ASA with two ISPs will go both links to IP3.
Regarding to Erwan statement - if the IP addresses inside are routable that it would be the best to create S2S tunnel with some other router inside the LAN - with ASA you won't achieve exactly what you want.
Thanks for your answers.
The main problem is the 2 differents tunnels with the same peer IP3.... There is no other router/firewall inside the LAN3.
Can you suggest me a device able to do what I'm looking for ?
That's why it is NOT a good idea to terminate VPN on ASA with complex scenarios. ASA is not designed for this kind of thing.
Go with Cisco IOS. It can do exactly what you'r looking for either with DMVPN or GRE/IPSec with floating route. Either will work. You manipulate with routing metric.
Ok, I will take a look to Cisco IOS for next purchase...
BTW, David, I think we already met before . Are you working for the red square provider ...?
Order of operation for destination nat is nat first and then route lookup
Whoever has access to asas, I would suggest labbing up my approach
I don't have access to Asas currently so I can't lab it
Sent from Cisco Technical Support iPhone App