Cisco ASA5505 VPN Tunnel Using Nat - Firewalls

This is a discussion on Cisco ASA5505 VPN Tunnel Using Nat - Firewalls ; I have been asked to setup a site-site VPN tunnel using IPSEC. Building the tunnel is not a issue for me. However, the folks at the remote site are requiring that we provide a public ip address for our local ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Cisco ASA5505 VPN Tunnel Using Nat

  1. Cisco ASA5505 VPN Tunnel Using Nat

    I have been asked to setup a site-site VPN tunnel using IPSEC.
    Building the tunnel is not a issue for me. However, the folks at the
    remote site are requiring that we provide a public ip address for our
    local host. which they will be connecting to. I have searched the
    cisco.com site and have not found a easy explained solution. The
    remote site wants a configuration simular to below

    Remote Site VPN End Point: 1.1.1.1
    Host Ip Address at remote site 2.2.2.1 and 2.2.2.2

    Our site
    VPN End Point: 3.3.3.3
    Local Host which will be tunneling traffic: They are requiring this to
    be a public ip. Currently we use RFC-1918 addresses which means we
    will have to translate a public address to our private host addresses.

    Can I simply setup a static NAT statement which translates the public
    address to our private addresss as we are only using one host on our
    side?Then do I set "match address" to the public IP?

    Thanks,
    Steve J


  2. Re: Cisco ASA5505 VPN Tunnel Using Nat

    On Aug 17, 9:34 am, Newbie72
    wrote:
    > I have been asked to setup a site-site VPN tunnel using IPSEC.
    > Building the tunnel is not a issue for me. However, the folks at the
    > remote site are requiring that we provide a public ip address for our
    > local host. which they will be connecting to. I have searched the
    > cisco.com site and have not found a easy explained solution. The
    > remote site wants a configuration simular to below
    >
    > Remote Site VPN End Point: 1.1.1.1
    > Host Ip Address at remote site 2.2.2.1 and 2.2.2.2
    >
    > Our site
    > VPN End Point: 3.3.3.3
    > Local Host which will be tunneling traffic: They are requiring this to
    > be a public ip. Currently we use RFC-1918 addresses which means we
    > will have to translate a public address to our private host addresses.
    >
    > Can I simply setup a static NAT statement which translates the public
    > address to our private addresss as we are only using one host on our
    > side?Then do I set "match address" to the public IP?
    >
    > Thanks,
    > Steve J


    Anbody got any suggestions?


  3. Re: Cisco ASA5505 VPN Tunnel Using Nat

    Newbie72 wrote:
    > On Aug 17, 9:34 am, Newbie72
    > wrote:
    >> I have been asked to setup a site-site VPN tunnel using IPSEC.
    >> Building the tunnel is not a issue for me. However, the folks at the
    >> remote site are requiring that we provide a public ip address for our
    >> local host. which they will be connecting to. I have searched the
    >> cisco.com site and have not found a easy explained solution. The
    >> remote site wants a configuration simular to below
    >>
    >> Remote Site VPN End Point: 1.1.1.1
    >> Host Ip Address at remote site 2.2.2.1 and 2.2.2.2
    >>
    >> Our site
    >> VPN End Point: 3.3.3.3
    >> Local Host which will be tunneling traffic: They are requiring this to
    >> be a public ip. Currently we use RFC-1918 addresses which means we
    >> will have to translate a public address to our private host addresses.
    >>
    >> Can I simply setup a static NAT statement which translates the public
    >> address to our private addresss as we are only using one host on our
    >> side?Then do I set "match address" to the public IP?
    >>
    >> Thanks,
    >> Steve J

    >
    > Anbody got any suggestions?
    >


    This is a lot easier than most people think. Just nat the inside to an
    external IP.

    static (inside,outside) 4.4.4.4 3.3.3.3 netmask 255.255.255.255

    And then when you configure the ACLs for the VPN use the 4.4.4.4 as the
    host on your side. And do not configure a NoNat ACL.

    That's it.

    Scott


  4. Re: Cisco ASA5505 VPN Tunnel Using Nat

    On Nov 4, 9:30 pm, Scott Stokes wrote:
    > Newbie72 wrote:
    > > On Aug 17, 9:34 am, Newbie72
    > > wrote:
    > >> I have been asked to setup a site-site VPN tunnel using IPSEC.
    > >> Building the tunnel is not a issue for me. However, the folks at the
    > >> remote site are requiring that we provide a public ip address for our
    > >> local host. which they will be connecting to. I have searched the
    > >> cisco.com site and have not found a easy explained solution. The
    > >> remote site wants a configuration simular to below

    >
    > >> Remote Site VPN End Point: 1.1.1.1
    > >> Host Ip Address at remote site 2.2.2.1 and 2.2.2.2

    >
    > >> Our site
    > >> VPN End Point: 3.3.3.3
    > >> Local Host which will be tunneling traffic: They are requiring this to
    > >> be a public ip. Currently we use RFC-1918 addresses which means we
    > >> will have to translate a public address to our private host addresses.

    >
    > >> Can I simply setup a static NAT statement which translates the public
    > >> address to our private addresss as we are only using one host on our
    > >> side?Then do I set "match address" to the public IP?

    >
    > >> Thanks,
    > >> Steve J

    >
    > > Anbody got any suggestions?

    >
    > This is a lot easier than most people think. Just nat the inside to an
    > external IP.
    >
    > static (inside,outside) 4.4.4.4 3.3.3.3 netmask 255.255.255.255
    >
    > And then when you configure the ACLs for the VPN use the 4.4.4.4 as the
    > host on your side. And do not configure a NoNat ACL.
    >
    > That's it.
    >
    > Scott- Hide quoted text -
    >
    > - Show quoted text -


    I should have went back and closed this thread. you are right though.
    It ended up being alot easier than I thought.

    I ran out time and threw caution to the wind a week or 2 ago and did
    just as you suggested and it now works flawlessly. Thanks for the
    reply.


+ Reply to Thread