We have a Cisco ASA 5520, and we're creating an IPSec VPN to another Cisco ASA. We have multiple VPNs on this firewall.
The issue with the latest one is they require a Public IP as the Local Encryption Network. I've seen this question a couple times while searching but never really a definitive answer.
Would using the "Outside-Network" as the local encryption network, then natting the appropriate IPs be sufficient? Or would this not work at all?
Our Public block is X1.X1.X1.64 - X1.X1.X1.79, our Peer IP X1.X1.X1.66. Would using X1.X1.X1.64/28 as the local encryption network make the connection? Then NAT the needed IPs from our DMZ X2.X2.X2.71 as X1.X1.X1.71 to the client?
Would this work or am I way off the mark (I'm by no means an ASA expert, and an ASDM explanation would help over command line).
Thanks all in advance,
Edit: Or would I have to create a new Global Pool made up of Public IPs on a different subnet mask than our actual Public IP address pool. And make that our Local Encrypted Network? I think this might be it, but could it cause IP overlapping? Our webserver is part of this and I'm worried about causing connection issues.
IF I am not misunderstanding you, what you are asking is regarding IPSEC host endpoints (not tunnel endpoints) when you are connectiong up to a partner network via ipsec or they are connectiong to you. ie the addresses that is sending/recieving the traffic you want to encrypt to and from.
This is normal operations if you are a big company that are talking to many other big companies.
Then you are tripping over the same network information, ie the same networks.
To avoid that problem you can use Internet ip address endpoints instead of RFC1918 compliant ip address endpoints.
This however can be problematic when you change ISP and "must" change your Internet provided addresses via the vpn also.
So yes this is a viable solution if you have many addresses, if you do not then you are stuck with natting twice and similare technology.
OR as i have seen other companies do, simply find out something that you will never be interested in reaching, such as a small tirecompany halfway around the globe and simply just use their addresses.
This will ofcourse mean that the addresses you are using are not yours but that does not matter since you are not interested in ever visiting them anyway, and the same needs to be true for the partner.
However it is possible that the small tire company goes out of bussiness and its ipadresses is reused for a company that you or your partner ARE interested in going to. This is bad bussiness and is to be avoided, but as i said earlier i have seen it beeing done.
Remember that the ip addresses you are using for the VPN will have problems to be reached over the Internet from your customers that you have the vpn with since they are used in the vpn.
So it would be a bad idea to use a part of the network that you have your mail or webserver installed in.
Yes, you are right on the money. The public IPs must be used as the addresses that are sending/receiving encrypted traffic. We have a small amount of public IP addresses, and all of them are used. Our Web server is what the VPN is being setup for (report ordering).
Sounds like we could just use the X1.X1.X1.64/28, which is our Public Subnet ID as the "Local Network", would you agree?
Our Web and Mail server are in this address block, could routing issues occur because of this, or only to the shop we are VPNing with? Unless we make a couple Static Policies?
you can not use the external addressblock. or rather you can but it is realy very much not recomended
that would be problematic since your vpn tunnel is most likely one of those adresses right ?
You could use a part of it such as a /29 but not the part where the vpn is terminated.
but since it is so small to begin with I would recomend against it.
You do not want to have two systems with the same addresses to be accessed by the same systems.
if you fx use the same part as your mail server is in they (your partner) would have to make arangements so that some of their systems go through the vpn and som not when they try to access the same addresses.
If something goes wrong they will either loose the ability to
I am not saying it is not possible, it is, just that there are better ways such as double nat when it comes to that.
simply put, your external network is to small for you to consider this to be a good plan.
the external IP addresses are to valuable for other things comparing the hassle of double natting.
It is one thing that you can do something its another if you should.
1. All of our Public IP addresses are in use (X1.X1.X1.65 - X1.X1.X1.78) with X1.X1.X1.64 and X1.X1.X1.79 as endpoints
2. Two of them will need to transfer encrypted data in the tunnel
So I create a subnet (internally) using the /30 subnet (X1.X1.X1.72 - X1.X1.X1.75), then NAT the appropriate IPs from the DMZ, to the remote network (the IPsec Remote Local Network), as X1.X1.X1.73 and X1.X1.X1.74 (even though X1.X1.X1.73 and X1.X1.X1.74 are being used to the outside)
Would that subnet interfere with the IPs of the public address that are being used?
Hope this make sense, please let me know what you think, and I'll clarify anything that needs it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :