Frequently asked Questions

VPN NAT behind the VPN Gateway Public IP

This sounds like inception to me. In some instances 3rd parties do not accept a VPN connection using an RFC-1918 source IP address, for example SAP and some banks due to the amount of customers they have. As such you either need to use a public IP range in your DMZ or NAT your source traffic behind the public IP of your firewall. This always confused me, how can you configure a VPN connection using a public IP, for example 1.1.1.1 and then define the local encryption domain as 1.1.1.1. Would this work? I had such a requirement recently and it does in fact work with a Cisco ASAv (might not work with all VPN vendors).

# Create network groups and define your local networks and NAT address
object-group network LOCAL-NETWORKS
network-object 10.0.0.0 255.255.255.0
!
object-group network LOCAL-NETWORKS-VPN-NAT
network-object host 1.1.1.1
!
# Define the interesting traffic in the ACL using the NAT address as the source
access-list VPN-TO-SAP permit ip object-group LOCAL-NETWORKS-VPN-NAT object-group REMOTE-NETWORKS
!
Make sure that the VPN traffic is NAT'd. This is processed before VPN encryption
nat (inside,outside) 1 source static LOCAL-NETWORKS LOCAL-NETWORKS-VPN-NAT destination static REMOTE-NETWORKS REMOTE-NETWORKS

NAT-T

Using Cisco ASAv in AWS or Azure is possible. However be aware that the firewall is unware of the public IP address you assign to the outside interface. If you are going to use the Cisco ASAv for a VPN this is also possible as NAT-T is on by default so the firewall will source traffic from the public IP and access IKE traffic destined to the public IP. Ensure you permit the NAT-T protocol (4500/udp) and that the remote end of the VPN supports NAT-T.

Cisco ASAv Smart Licensing registration issue

By default the Cisco ASAv management interface is not part of the firewall routing table so cannot route directly to the Internet. The Smart licensing process uses the management interface by default. There is documentation on how to configure a proxy for this traffic but if you want to route directly you will need to configure the Smart Licensing to use the external interface (un-documented).

Check VM and licensing information
ciscoasa# show vm - shows the vm details (vcpu, memory, hypervisor)
ciscoasa# show version - shows the model
ciscoasa# Show license status - show your current licensing status

Configure DNS resolution
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# domain-name networkjigsaw.local
ciscoasa(config)# DNS server-group Default
ciscoasa(config)# name-server 8.8.8.8
ciscoasa# ping tools.cisco.com - test DNS resolution

Configure Smart Licensing
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level {100M | 1G | 2G}
ciscoasa(config-smart-lic)# exit
ciscoasa(config)# license smart register idtoken {token} {force}

Verify license has applied
Ciscoasa# show vm
Ciscoasa# show license usage

If this fails at this point, try changing the call-home interface (which smart licensing uses) to the outside interface.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s