I do not have the option to run in transparent mode. Will not be possible if I use two interfaces on my VPN firewall as shown above?

Sorry - I misunderstood your original posting.

You can put the VPN firewall in a DMZ behind the Internet-facing one.

ASA1 = Internet-facing. Public IP address for the interface.

Second address is a 1-1 static NAT for ASA2 interface that terminates VPN users. Actually you could do this with a single public IP address as long as you can use tcp/443 dedicated to the VPN firewall (or PAT from some other port to tcp/443 and then have your users use a non-standard port for the SSL VPN).

In either case, ASA1-ASA2 link is a direct connection with a private /30 (or larger) subnet.

The static NAT (or PAT) on ASA1 translates the public IP to the ASA2 private IP and allows inbound communications for the SSL VPN  over tcp/443 (or whatever non-default port if you choose to use it that way).

That makes more sense. I couldn't understand your first message. Yes, I want ASA2 to terminate all VPNS (SSL, L2L). Can I have multiple IP address that can terminate VPN? For example If I want to have two public IP address wich can be used for VPN. and how?

But I don't understand what the difference between having 1 direct connection between ASA´s or 2 direct connections. What are the benefits having two direct connections (as shown above Diagram)

We typically terminate VPNs always on a single IP address on a given ASA.

The only way I can think of to use multiple ones would be to have separate ISPs and policy-based routing - very complex and not the case for your environment.

Usually it comes down to the routing capabilities on the ASA being relatively simplistic.

Multiple interfaces can serve several purposes. Generally speaking they come down to security (separate security zones on separate interfaces) and availability (using either Etherchannels bonding multiple physical interfaces or redundant interfaces on the firewall).

The reason for I ask for multiple IP adresses is because I want to enable L2L on two public IP addresses. on the ASA. So my client has the option to switch between those two IP addresses.

If I activate VPN(L2L) on the outside interface with IP 5.5.5.5. Can I then just make 1:1 nat from outside to outside to 4.4.4.4 (on the same ASA). Will the VPN work for those two IP address then?

Two problems:

1. The ASA would not have any idea how to route the traffic properly.

2. You would get no better high availability even if problem 1 did not exist since both addresses are on the same appliance.

If you want high availability for L2L VPN then you can have multiple ASAs (potentially at different sites or Internet ingress points) and configure them as the secondary peer for a given VPN. 

Hi Marvin,

The reason for I want 2 IP addresses for VPN are because I want to change the existing VPN IP address later on. I want enable VPN on two IP addresses and start migrating from one address to the new IP address. Instead just changing my IP address and all my L2L VPN goes down.

I like the design above with two interfaces between ASA1 and ASA2. But I don't understand how I should force L2L VPN tunnels going through ASA2 (VPN fw) out to the internet.

Hmm for future migration purposes you could have your peers set the future IP address as a secondary tunnel address. Once you make that active, they will al fail over to that. You can tell them to change it to the sole and primary address at their convenience later.

The tunnels go from ASA2 outside interface out via ASA1 due to ASA2's default route being out that interface (or at least the route to the peer IP addresses - generally the same thing.)

Hi Marvin, thanks for your reply. The issue here is that my peers are also none cisco devices. So secondary tunnel address is not supported on all devices. But the question how do I enable secondary tunnel address on my site? So If I for example have 5.5.5.1 as outside interface IP. How do I then add extra IP adress ( for example 5.5.5.2) on my outside interface and enable VPN so my peers can use both IP addresse to establish VPN with?

You would not do so on your site. At a given time only one IP address would be your end's peer ID. That would be the public IP on ASA1 that is translated to IP1 on ASA2.

If, say, you change upstream ISPs then the new public IP address translates to your same private IP (IP1 on ASA2). If your peers have the capability to use the secondary tunnel address, they would flip to it as soon as the primary went away. If they did not (non-Cisco or whatever reason), then they would need to change the address they are looking for at your end when your change over to it.

Hi Marvin. Thanks for your help. So if decide to implement this scenario with only 1 interface between ASA1 & ASA2. How should my L2L work when try to start tunnel from my inside network. Do I then need to route all L2L subnets on ASA1 to ASA2 and make a U-Turn on ASA2 and back to ASA1 ? Will this work with only 1 interface between ASA1 and ASA2?

Flow for L2L from inside:

Inside network -> ASA1 -> ASA2 -> ASA1 -> Internet peer

Flow for L2L from outside

Internet peer -> ASA1 -> ASA2 -> ASA1 -> Inside network

Roger,

Ideally your core would have a route via ASA 2 for all the remote L2L subnets. That could be advertised from ASA2 via a dynamic routing protocol (OSPF, EIGRP or BGP) or it could be a static route in the core overriding the default route to ASA1.

So it would be the flow your described except the first one would not have ASA1 as its first hop.

Hi Marvin. Just to summarize this discussion.

So I ended up with this two different designs. I guess both will work in real lab environment.  Do I need to make static routes on ASA1 for L2L traffic from my internal network to my internet peer with Design2? So my unencrypted traffic will flow on DMZ2 interface and encrypted traffic will flow on DMZ1.

Thank you.