Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
5
Helpful
2
Replies

How to use non-interface IP for Site-to-site VPN ASA?

WHindriks
Level 1
Level 1

‎03-23-2018 07:38 AM - edited ‎03-12-2019 05:08 AM

I am trying to setup a site-to-site VPN from a ASA 5506. The ISP has provided a IPoE connection in which the interface IP is a non public routeable IP and a routed subnet which is to be used to access the internet.

The interface IP is 1.1.1.1 and the IP I need to use when going on the internet is 2.2.2.2.

I have setup a NAT rule which will translate all outgoing traffic to the 2.2.2.2 IP, this enables me to access the internet.

When I want to setup a site-to-site VPN the outgoing IP being used is the WAN IP (1.1.1.1) and the traffic never arrives at the other site. Is it possible to have the ASA use IP 2.2.2.2 as source for the VPN?

 

Config snippets:
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

interface GigabitEthernet1/1
 nameif WAN
 security-level 0
 ip address 1.1.1.1 255.255.255.252
!
object network WAN_IP_1
 host 2.2.2.2
access-list WAN_cryptomap extended permit ip 10.1.3.0 255.255.255.0 object Datacentre
nat (LAN,any) source static LAN LAN destination static Datacentre Datacentre no-proxy-arp route-lookup
nat (LAN,WAN) source dynamic LAN WAN_IP_1
!
route WAN 0.0.0.0 0.0.0.0 1.1.1.2 1
!
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set pfs group5
crypto map WAN_map 1 set peer 3.3.3.3
crypto map WAN_map 1 set ikev2 ipsec-proposal AES256
crypto map WAN_map interface WAN
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable WAN
!
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-tunnel-protocol ikev2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev2 remote-authentication pre-shared-key ****
 ikev2 local-authentication pre-shared-key ****
!


Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎03-23-2018 09:48 AM

You can't nat the 1.1.1.1 IP configured on the WAN interface.

If you would be using a bigger ASA then 5506 you could have 2 contexts.

Maybe you can get in touch with the ISP to configure the nat on their device.

 

HTH

Bogdan

WHindriks
Level 1
Level 1
In response to Bogdan Nita

‎03-23-2018 10:01 AM

Thanks for your reply.
I'll go explore other options.

0 Helpful
Customers Also Viewed These Support Documents