05-21-2021 12:15 AM
Hi Experts we have an ISP asking us to enable public IP's in what appears to me in a weird and possible wrong way. At least from the devices we have available.
we have a cisco 5506x asa that is using an ipsec tunnel to hub site.
they are suggesting we use static ARP to inject the public IP addresses into the MAC address if the outside interface and then assign a private address to the outside interface and also route all traffic to the private default gateway "the isp side interface"
My question is would this even work when doing vpn tunnels? Since the public addresses aren't even assigned to an interface.
Solved! Go to Solution.
05-21-2021 12:44 AM
I agree with you, I don't see how this would work...I doubt it would even be supported by Cisco.
This might work with a cisco router, as you don't have to terminate a VPN on the outside interface IP address. You could then place the ASA behind the router (you'd have to NAT)...but this is becoming a needlessly complex solution, which should be straightforward.
05-21-2021 12:22 AM
Not sure I totally following their logic tbh....but on an ASA you can only terminate a VPN on the IP address assigned to an interface. So if you plan to establish a VPN over the internet and have a private IP address on the outside interface, it isn't going to work.
05-21-2021 12:30 AM
Hi Rob,
Thanks for the reply, I am in the same boat it is not making much sense. Here is how I see it and how I think they see it work:
int gig1/1
nameif outside
ip add 172.16.0.2 255.255.255.252
MAC: 1.2.3.4
route outside 0.0.0.0 0.0.0.0 172.16.0.1
static arp
arp outside 185.x.x.1 1.2.3.4
im guessing on their network they have the routing for the public IP's set to be over this p2p connection. But I cant see it work when you want to terminate a VPN tunnel on a "virtual IP" am I right in saying this? I want to give them feedback as to what they would need to do which is install a device that can enable the public IP's and give us the default gateway of said public range.
05-21-2021 12:44 AM
I agree with you, I don't see how this would work...I doubt it would even be supported by Cisco.
This might work with a cisco router, as you don't have to terminate a VPN on the outside interface IP address. You could then place the ASA behind the router (you'd have to NAT)...but this is becoming a needlessly complex solution, which should be straightforward.
05-21-2021 12:47 AM
Agreed, I have already proposed this to them as well. Thanks for the clarification.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide