ISP - Router - F5 (Public IP address as endpoint, NATed to ASA) - ASA (10.X.X.X as it's outside interface)Īny and all thoughts at this time would be greatly appreciated. ISP - Router - F5 (public IP address as endpoint, NATed to ASA) - Firewall - ASA (10.X.X.X as it's outside interface) This results in VPN client requests arriving at the VPN server as appearing not to come from the client’s original IP address, but the IP address of the network device (firewall or load balancer) that is translating the request. ISP - Router - Firewall - ASA (public IP address as endpoint) My question is, will this work? I've always heard that the head end needed to have a public IP address on it as that's what will be placed in the packets for the client to talk back to.įor clarification, here's what we have currently and what we're being asked to go to For VPN connectivity F5 recommends that we NAT the IP address (called a Wide IP) at the F5 and point it back to a private IP address on the ASA. We are planning on putting a couple of F5 Link Controllers in place between the ISPs and the firewalls. All our clients are using the legacy Cisco VPN client (not the anyconnect one). This ASA is currently sitting behind a Checkpoint firewall with an actual publicly addressable IP address on it's public interface. We are currently Using an ASA 5520 as the head end of a relatively large client to site IPSEC VPN (roughly 240 users, not consecutively). I searched and while I found a large number of entries that danced all around this particular question, I never found anything that addressed this specific question. I apologize if this has been asked and answered in the forums.
0 Comments
Leave a Reply. |