https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008264#M146085 <P>If you wish to configure S2S VPN on ASA with its outside interface's IP address as a peer device IP then it should not be an issue since&nbsp;<SPAN>IKE phase 1 uses UDP 500.&nbsp;&nbsp; If the the peers are behind NAT device then NAT Traversal comes into the picture where they discover that they are connected through a NAT device somewhere, they will use UDP 4500 for IKE phase 1.</SPAN></P> <P>So, make sure that you do not have configure PAT related to these ports otherwise it can create issues.</P> <P>Once the tunnel is up, the intended traffic (proxy ids) are matched for Phase 2 and along with the rest of the parameters.</P> <P>The good practice recommends to allow "ip" traffic between VPN subnets and MUST have no-nat (nat exemption) configured on the ASA.</P> <P>I hope this answers your question.</P> <P></P> <P>Regards</P> <P>Tripat Kaur</P> <P></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Tue, 07 Mar 2017 22:56:11 GMT trdatta 2017-03-07T22:56:11Z https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008261#M146082 <P>can i configure the ASA outside interface public ip as static nat for one of the inside servers</P> Tue, 12 Mar 2019 09:00:37 GMT https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008261#M146082 Manjunath S Chickmath 2019-03-12T09:00:37Z https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008262#M146083 <P>This is not a good practice and if you do that then ASA's outside interface IP address will only be bounded to that particular server's internal IP address and cannot be taken in use for anything else as static nat is one to one nat and it may affect the internet traffic. But yes that depends upon your topology too.&nbsp;</P> <P>In case, you do not have much free public IP addresses and needs to use outside interface IP address, then you can also check regular static PAT which is also static in nature but port based. For eg : If you have webserver, then you can bound port 80 of outside's public IP address for your server.&nbsp;</P> <P></P> <P>Below is the link which can give you more information about static PAT:</P> <P>Till 8.2:</P> <P>http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html</P> <P></P> <P>For 8.3 and above:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/nat_objects.html#wp1106703</P> <P>from CLI:&nbsp;</P> <P>https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples</P> <P></P> <P>Please rate if this resolves your concern/issue.</P> <P></P> <P>Regards</P> <P>Tripat Kaur</P> Fri, 03 Mar 2017 19:54:22 GMT https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008262#M146083 trdatta 2017-03-03T19:54:22Z https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008263#M146084 <P>thanks for the info.</P> <P></P> <P>Being said that still we can Nat outside interface ip, can we pass the outside Nat Interface ip in site 2 site vpn ? again we will using outside interface ip as vpn peer ip, is this possible ?&nbsp;</P> Sat, 04 Mar 2017 04:39:21 GMT https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008263#M146084 Manjunath S Chickmath 2017-03-04T04:39:21Z https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008264#M146085 <P>If you wish to configure S2S VPN on ASA with its outside interface's IP address as a peer device IP then it should not be an issue since&nbsp;<SPAN>IKE phase 1 uses UDP 500.&nbsp;&nbsp; If the the peers are behind NAT device then NAT Traversal comes into the picture where they discover that they are connected through a NAT device somewhere, they will use UDP 4500 for IKE phase 1.</SPAN></P> <P>So, make sure that you do not have configure PAT related to these ports otherwise it can create issues.</P> <P>Once the tunnel is up, the intended traffic (proxy ids) are matched for Phase 2 and along with the rest of the parameters.</P> <P>The good practice recommends to allow "ip" traffic between VPN subnets and MUST have no-nat (nat exemption) configured on the ASA.</P> <P>I hope this answers your question.</P> <P></P> <P>Regards</P> <P>Tripat Kaur</P> <P></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Tue, 07 Mar 2017 22:56:11 GMT https://community.cisco.com/t5/network-security/can-i-configure-the-asa-outside-interface-public-ip-as-static/m-p/3008264#M146085 trdatta 2017-03-07T22:56:11Z