crypto map outside_map interface outside - Source Peer Address Query

Unanswered Question
Oct 18th, 2013
User Badges:

Hi All,


I have got a technical query aroud the function of source addresses on IPSec L2L VPN's


My customer has their ASA5512-X HA pair running 9.1(2) and exisitng IPSec L2L tunnels. They have various other Cisco routers and firewalls in the outside network that also perform multiple L2L tunnels to other sites. The question is can i create/ consolidate all these other L2L VPN's to the ASA5512-X's and continue to source their L2L peer addresses for the other devices, e.g. some sort of Proxy ARP on the outside interface for these addtional addresses.


Obviously i can use policy NAT to modify the source address on traffic traversing the ASA firewalls but this is not to my knowledge going to change the actual IPSec L2L VPN source peer address, or is it?


This fix is to avoid changing the peer address with multiple customer peers.


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Fri, 10/18/2013 - 04:41
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am atleast not aware of any way to do this. So to my understanding its not possible to use any other IP address as your VPN Peer IP other than an IP address that is configure on an actual interface of the device.


And I guess for the above situation to work each current VPN device would have to be on a different public IP address range (or be split into those if from same subnet) for you to be able to configure external interface for each of them. And even then you would have to make sure with routes that each VPN remote peer IP would be routed through the correct external interface and also handle the routing for the remote networks behind those interfaces.


- Jouni

CSCO11377298 Fri, 10/18/2013 - 05:43
User Badges:

Hi Jouni,


Thanks for your input here, yes I also saw that the only other way to do this would be to create the outside network as individual sub interfaces but this would mean creating /31's with the ISP (probably even more trouble that the customers changing their peer addresses) and also some of these current VPN sources are contiguous meaning it wouldn’t be possible to break up the network.


Thanks again

Actions

This Discussion