Forum Discussion
christiancruz88
Nimbostratus
NimbostratusVPN s2s through F5 LC with ASA like Endpoint
Hi, i have the next situation:
Internet -> F5 LC -> Cisco ASA
I understand that 2 VS must be configured, 1 for incoming traffic and 1 for outbound traffic:
VS incoming traffic:
Performance Layer 4, destination host -> public IP (a.a.a.a), service port 0, all protocols
VS outgoing traffic:
Performance Layer 4, source -> b.b.b.5 (interface LAN of Cisco ASA), destination 0.0.0.0/0, service port 0, all protocols, source address translation SNAT -> SNAT_pool (Public IP VS a.a.a.a) pool member -> 3 ISP with preference
Is this enough or do I need something else to establish communication? I must mention that I already have a VS output to the internet with the 3 ISP source LAN (b.b.b.0/24) destination network 0.0.0.0/0 all protocols .... will there be any problems?
Thanks!
christiancruz88VS incoming
VS outgoing
snat pool -> member (IP Públic in VS incoming)
boneyardMVP
do you have a tcpdump output to share?
- christiancruz88
hi, I still have problems
youssef1Cumulonimbus
Hi Christian,
It's working? or you still have problems
regards
- youssef1
Hi Christian,
In Fact you have 2 VS to deploy
VS incoming traffic: Internet -> F5 LC -> Cisco ASA
Set it to L4 VS...
VS Outgoing traffic: -> Cisco ASA F5 LC -> Internet
For this VS don't forget to uncheck "Address Translation" and "Port Translation" in VS settings. an L4 Vs is OK.
Additional you have to configure NAT Traversal on you Peer that perform VPN. More I think that you have to stick VPN on on ISP only. IF your external FW can setup is vpn with multip IP it will work. If not you have to set your inbound traffic just trough on IP/ISP.
Hope it's clear. keep me update.
REgards
- boneyard
I believe you want to read this KB and make sure the F5 BIG-IP doesn't touch your IPSEC traffic
https://support.f5.com/csp/article/K14169
I would start with one ISP line in the pool to make sure that works before extending to the three.
also which TMOS version are you using?