I apologize if this has been asked and answered in the forums. I searched and while I found a large number of entries that danced all around this particular question, I never found anything that addressed this specific question. We are currently Using an ASA 5520 as the head end of a relatively large client to site IPSEC VPN (roughly 240 users, not consecutively). This ASA is currently sitting behind a Checkpoint firewall with an actual publicly addressable IP address on it's public interface. All our clients are using the legacy Cisco VPN client (not the anyconnect one). We are planning on putting a couple of F5 Link Controllers in place between the ISPs and the firewalls. For VPN connectivity F5 recommends that we NAT the IP address (called a Wide IP) at the F5 and point it back to a private IP address on the ASA. My question is, will this work? I've always heard that the head end needed to have a public IP address on it as that's what will be placed in the packets for the client to talk back to.
For clarification, here's what we have currently and what we're being asked to go to;
ISP - Router ------ Firewall ------ ASA (public IP address as endpoint)
ISP - Router ------ F5 (public IP address as endpoint, NATed to ASA) ------ Firewall ------ ASA (10.X.X.X as it's outside interface)
ISP - Router ------ F5 (Public IP address as endpoint, NATed to ASA) ------ ASA (10.X.X.X as it's outside interface)
Any and all thoughts at this time would be greatly appreciated. Thanks!
Also, you should ensure that nat traversal is enabled, which it should be by default. It's one of those commands that does not show up in the config when it's enabled. To turn it on use: crypto isakmp nat-traversal. The 'no' form of the command will disable it.
If there is a one to one static NAT on F5 for ASA's outside interface, then i do not think they would be any issues.
Because when the client will attempt to build an IKE connection to the translated public ip address, the F5 will redirect the request to ASA outside interface which is configured for VPN.
Also, ensure the udp500,4500 and esp is allowed and then you should be good to go.