Frequently asked Questions
VPN NAT behind the VPN Gateway Public IP
This sounds like inception to me. In some instances 3rd parties do not accept a VPN connection using an RFC-1918 source IP address, for example SAP and some banks due to the amount of customers they have. As such you either need to use a public IP range in your DMZ or NAT your source traffic behind the public IP of your firewall. This always confused me, how can you configure a VPN connection using a public IP, for example 1.1.1.1 and then define the local encryption domain as 1.1.1.1. Would this work? I had such a requirement recently and it does in fact work with a Cisco ASAv (might not work with all VPN vendors).
# Create network groups and define your local networks and NAT address object-group network LOCAL-NETWORKS network-object 10.0.0.0 255.255.255.0 ! object-group network LOCAL-NETWORKS-VPN-NAT network-object host 1.1.1.1 ! # Define the interesting traffic in the ACL using the NAT address as the source access-list VPN-TO-SAP permit ip object-group LOCAL-NETWORKS-VPN-NAT object-group REMOTE-NETWORKS ! Make sure that the VPN traffic is NAT'd. This is processed before VPN encryption nat (inside,outside) 1 source static LOCAL-NETWORKS LOCAL-NETWORKS-VPN-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS
NAT-T
Using Cisco ASAv in AWS or Azure is possible. However be aware that the firewall is unware of the public IP address you assign to the outside interface. If you are going to use the Cisco ASAv for a VPN this is also possible as NAT-T is on by default so the firewall will source traffic from the public IP and access IKE traffic destined to the public IP. Ensure you permit the NAT-T protocol (4500/udp) and that the remote end of the VPN supports NAT-T.
Cisco ASAv Smart Licensing registration issue
By default the Cisco ASAv management interface is not part of the firewall routing table so cannot route directly to the Internet. The Smart licensing process uses the management interface by default. There is documentation on how to configure a proxy for this traffic but if you want to route directly you will need to configure the Smart Licensing to use the external interface (un-documented).
Check VM and licensing information ciscoasa# show vm - shows the vm details (vcpu, memory, hypervisor) ciscoasa# show version - shows the model ciscoasa# Show license status - show your current licensing status Configure DNS resolution ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# domain-name networkjigsaw.local ciscoasa(config)# DNS server-group Default ciscoasa(config)# name-server 8.8.8.8 ciscoasa# ping tools.cisco.com - test DNS resolution Configure Smart Licensing ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level {100M | 1G | 2G} ciscoasa(config-smart-lic)# exit ciscoasa(config)# license smart register idtoken {token} {force} Verify license has applied Ciscoasa# show vm Ciscoasa# show license usage
If this fails at this point, try changing the call-home interface (which smart licensing uses) to the outside interface.
Network Jigsaw 
Leave a comment