Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
984
Views
5
Helpful
4
Replies

VPN using static ARP

Go to solution
chrisbuchner
Level 1
Level 1

‎05-21-2021 12:15 AM

Hi Experts we have an ISP asking us to enable public IP's in what appears to me in a weird and possible wrong way. At least from the devices we have available.

 

we have a cisco 5506x asa that is using an ipsec tunnel to hub site.

 

they are suggesting we use static ARP to inject the public IP addresses into the MAC address if the outside interface and then assign a private address to the outside interface and also route all traffic to the private default gateway "the isp side interface"

 

My question is would this even work when doing vpn tunnels? Since the public addresses aren't even assigned to an interface.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to chrisbuchner

‎05-21-2021 12:44 AM

I agree with you, I don't see how this would work...I doubt it would even be supported by Cisco.

This might work with a cisco router, as you don't have to terminate a VPN on the outside interface IP address. You could then place the ASA behind the router (you'd have to NAT)...but this is becoming a needlessly complex solution, which should be straightforward.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎05-21-2021 12:22 AM

Hi @chrisbuchner 

Not sure I totally following their logic tbh....but on an ASA you can only terminate a VPN on the IP address assigned to an interface. So if you plan to establish a VPN over the internet and have a private IP address on the outside interface, it isn't going to work.

0 Helpful

Go to solution
chrisbuchner
Level 1
Level 1
In response to Rob Ingram

‎05-21-2021 12:30 AM

Hi Rob,


Thanks for the reply, I am in the same boat it is not making much sense. Here is how I see it and how I think they see it work:

 

int gig1/1

nameif outside

ip add 172.16.0.2 255.255.255.252

MAC: 1.2.3.4

 

route outside 0.0.0.0 0.0.0.0 172.16.0.1

 

static arp

arp outside 185.x.x.1 1.2.3.4

 

im guessing on their network they have the routing for the public IP's set to be over this p2p connection. But I cant see it work when you want to terminate a VPN tunnel on a "virtual IP" am I right in saying this? I want to give them feedback as to what they would need to do which is install a device that can enable the public IP's and give us the default gateway of said public range.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to chrisbuchner

‎05-21-2021 12:44 AM

I agree with you, I don't see how this would work...I doubt it would even be supported by Cisco.

This might work with a cisco router, as you don't have to terminate a VPN on the outside interface IP address. You could then place the ASA behind the router (you'd have to NAT)...but this is becoming a needlessly complex solution, which should be straightforward.

Go to solution
chrisbuchner
Level 1
Level 1
In response to Rob Ingram

‎05-21-2021 12:47 AM

Agreed, I have already proposed this to them as well. Thanks for the clarification.

0 Helpful
Customers Also Viewed These Support Documents