Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
1
Helpful
8
Replies

VPN terminated on NATted IP address of Outside Interface

M.Jallad
Level 1
Level 1

‎05-20-2023 04:48 PM

 

I'm having an ASA/FTD configured with Public IP address on Outside Interface for ISP1 pointing to a nexthop router which is configured with another Public IP address of the same ISP1 subnet, we have a new requirement to add another ISP2 . and move all services (published servers + VPN site-to-site tunnels ) to ISP2 gradually.

I was thinking if it's possible to replace ISP1 subnet with another private IP subnet (between ASA outside and nexthop internet router) :

inside --|ASA| -- outside      <----- New Private Subnet ------>    LAN -- |Internet router|

 both ISP links will be connected to Internet router and we can control Inbound/Outbound routing to both Public subnets (for ISP1 and ISP2) through BGP with the cooperation of both ISP's.

Now we will do all Static Bidirectional NATting for both public subnets on ASA as below :

 - Service-X (Published services)

nat (inside,outside) source static service-x-real-ip service-x-ISP1-IP destination static any any

nat (inside,outside) source static service-x-real-ip service-x-ISP2-IP destination static any any

and configure "arp permit-nonconnected"

- My concern is the VPN's ; can i have VPN terminated on a NATted Public IP's for example ISP1-IP-For-VPN with the below configured:

nat (any,outside) source static ASA-outside-ip ISP1-IP-For-VPN destination static any any

and maybe having "same-security-traffic permit intra-interface" configured , just in case ASA/FTD would drop incoming VPN traffic.

Is this a valid configuration ? should this scenario work as expected ?

I know we can have a separate link for ISP2 and do the usual PBR , but i want to know if it's possible to do this on Cisco ASA/FTD

Thanks ,

Jallad

Labels:
8 Replies 8

Flavio Miranda
VIP
VIP

‎05-20-2023 05:53 PM

Hi

  Your VPNs Site-to-Site use the Firewall public IP address to stablishes the tunnel, right? Or they finish in the Router?  If you change the  outside interface Firewall's IP address, you need to update all your VPN peers with a new IP address. Wouldn't be easier to do  this with the new ISP already?  Or you are moving the Firewall's outside IP address to the Router to keep the same VPN peering IP address and then use NAT to the tunnel get to the ASA?

 

0 Helpful

M.Jallad
Level 1
Level 1
In response to Flavio Miranda

‎05-21-2023 03:29 PM

@Flavio Miranda right , All VPN's are peering currently with a public IP address on ASA Outside interface ...  

I was thinking of the below :

- Change the current Outside Interface IP address to a new private ip (say x.x.x.1).

- Change the current Internet Router LAN interface IP address to a new private ip (say x.x.x.2).

- Have Any new or the existing ISP public subnets NATted on ASA itself .

- Have the internet router forward any inbound request to any of these public subnet towards ASA IP address (x.x.x.1).

- Change ASA default route towards (x.x.x.2).

In this scenario ; the peer should not observe any changes except maybe for the local identity which might need to modify.

0 Helpful

Flavio Miranda
VIP
VIP
In response to M.Jallad

‎05-21-2023 04:13 PM - edited ‎05-21-2023 04:23 PM

But if the ASA has public IP today and the remotes peer VPN is calling out this IP, if you simply disapear with this IP, they will keep trying stablish connection with that IP. 

 I was expecting you to transfer the ASA Outside IP address interface to Router, so that, when  a remote VPN peer tried to stablish VPN with the ASA outside interface, it would hit the Router and the router would forward to ASA private IP address.

 From the remote peer it would be still speaking with ASA but internaly it hit the Router first and then the ASA.

Because the way you mentioned, it would be necesary update all your VPN remote peer with a new IP address, dont?

0 Helpful

MHM Cisco World
VIP
VIP

‎05-21-2023 03:40 PM

the Internet router have two connect to ISP, ISP1 and ISP2
the NATing and PBR  is done in Internet router not in ASA/FTD
the VPN S2S need some work but not in ASA/FTD side but other side 
other Side need to set <ISP1><ISP2> 
and Internet router using static PAT for 500/4500 port 

0 Helpful

M.Jallad
Level 1
Level 1
In response to MHM Cisco World

‎05-21-2023 04:28 PM

@MHM Cisco World why i can't NAT both ISP subnets on ASA outside interface and use "arp permit-nonconnected" ...

for example:

nat (any,outside) source static {ASA-Outside-private-IP} {ISP1-Public-IP} destination static {Peer-X} {Peer-X}

and even publish other ISP subnet :

nat (any,outside) source static {ASA-Outside-private-IP} {ISP2-Public-IP} destination static {Peer-Y} {Peer-Y}

and have remote Peer-X connect their VPN to {ISP1-Public-IP}  , and Peer-Y to {ISP2-Public-IP} for example

0 Helpful

MHM Cisco World
VIP
VIP
In response to M.Jallad

‎05-21-2023 04:33 PM

The asa direct connect to ISP ? Or there is edge router ?

0 Helpful

M.Jallad
Level 1
Level 1
In response to MHM Cisco World

‎05-21-2023 04:47 PM

There is an edge router handling BGP incoming/outgoing for both ISP's.

0 Helpful

MHM Cisco World
VIP
VIP
In response to M.Jallad

‎05-21-2023 04:54 PM

since there is L3 device between ASA/FTD and ISP then you can not use public IP in ASA/FTD 
you need to use OUTside private IP (IP of subnet connect ASA/FTD) for VPN S2S 
the edge router will NATing private IP to public IP (here you need PBR in edge router to forward traffic via ISP1 or ISP2)

other Side will see two IP for VPN S2S for ASA/FTD, and you can use set peer1 (ISP1) peer2 (ISP2)

0 Helpful
Customers Also Viewed These Support Documents