We need to create a STS tunnel with one of our client and they have the load balancer in front of their firewall and two ISP link are terminated on load balancer and load balance internal network is connected with firewall. Firewall interface which is connected with LB has private IP address assigned which is acting as a wan port and firewall has one internal face configured where the servers are placed so there are two natting here -one is at the firewall and second one is on LB. LB has the natting configured with public IPs of ISPs and both ISPs IP being terminating on LB -not on firewall. Now we need to establish a STS tunnel with client firewall where the public not being terminated so it possible that the private IP of outside interface of firewall I do the nat on LB with public IP and then create a tunnel on firewall. Would it work? Please explain in details if it works or not.
I hope it should work if you do one to one NAT on loadbalancer with a public IP to private IP of the firewall outisde interface and having a rule that should allow the required traffic to the firewall outside IP or any any rule set for the NAT. i.e. which should not block any traffic towards the firewall outside IP.
Client end (Public IP) --> ISP --> LB(Public to Private IP NAT towards firewall Interface) --> ASA(configured with the private IP as its outside & VPN peer ip as it is.
Let me go through some scenarios and possibly can confirm you on the same...
I am not sure whether i understood your requirement correctly but this what i understood that your remote site have a loadbalancer with 2 ISP to share the load. The firewall's outside interface has a private IP which is connected on the inside of the LB and LB is doing the NATTING.
Unfortunatley VPN doesn't work with Load balacing.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...