https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482931#M269934 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are they allocating a public IP address directly to your ASA5505 firewall or is this done through Static NAT on their ASA5510 firewall?</P><P></P><P>Either way you should be able to configure a L2L VPN from this ASA to another VPN device on some remote location.</P><P></P><P>If they are allocating your ASA a public IP address directly that you will be configuring in its interface then I would imagine the main things you would need to make sure is that the ASA5510 firewall admins allow UDP/500 and ESP through their firewall to the public IP address of your ASA5505. I presume they would not be doing any NAT for this IP address and would either be doing NAT0 or Static Identity NAT for your public IP address. (so it passes without NAT through their firewall)</P><P></P><P>If they are doing Static NAT on the ASA5510 I think they would also have to allow UDP/4500 through their firewall to your ASA5505 public IP address. In this case you might also need NAT Traversal configurations on the VPN devices.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 10 Feb 2014 13:00:43 GMT Jouni Forss 2014-02-10T13:00:43Z https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482930#M269932 <P style="margin: 0cm; margin-bottom: .0001pt;">Hi,</P><P></P><P style="margin: 0cm 0cm 0.0001pt;"><SPAN style="font-size: 10pt;">We will share the Internet line with the building management. Building management have Cisco firewall 5510 and we will connect our Cisco firewall 5505 to the Building management firewall DMZ port. We have been given one public IP address to assign to our firewall. </SPAN></P><P></P><P style="margin: 0cm 0cm 0.0001pt;"><SPAN style="font-size: 10pt;">My question is can we configure IPsec site-2-site VPN tunnel on our firewall to another site although this firewall is connecting to building management firewall DMZ port.</SPAN></P><P></P><P style="margin: 0cm 0cm 0.0001pt;"><SPAN style="font-size: 10pt;">Thanks for your help.</SPAN></P><P></P><P style="margin: 0cm 0cm 0.0001pt;"><SPAN style="font-size: 10pt;">Sethi</SPAN></P> Tue, 12 Mar 2019 03:43:32 GMT https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482930#M269932 mazars-cisco 2019-03-12T03:43:32Z https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482931#M269934 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are they allocating a public IP address directly to your ASA5505 firewall or is this done through Static NAT on their ASA5510 firewall?</P><P></P><P>Either way you should be able to configure a L2L VPN from this ASA to another VPN device on some remote location.</P><P></P><P>If they are allocating your ASA a public IP address directly that you will be configuring in its interface then I would imagine the main things you would need to make sure is that the ASA5510 firewall admins allow UDP/500 and ESP through their firewall to the public IP address of your ASA5505. I presume they would not be doing any NAT for this IP address and would either be doing NAT0 or Static Identity NAT for your public IP address. (so it passes without NAT through their firewall)</P><P></P><P>If they are doing Static NAT on the ASA5510 I think they would also have to allow UDP/4500 through their firewall to your ASA5505 public IP address. In this case you might also need NAT Traversal configurations on the VPN devices.</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 10 Feb 2014 13:00:43 GMT https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482931#M269934 Jouni Forss 2014-02-10T13:00:43Z https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482932#M269937 <HTML><HEAD></HEAD><BODY><P>Yes,&nbsp; but port 500 and 4500 have to be allowed through the managment firewall for this to work.&nbsp; So make sure that they have an access list that permits those ports (if they haven't already allowed all traffic through that is.)</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Mon, 10 Feb 2014 13:02:06 GMT https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482932#M269937 Marius Gunnerud 2014-02-10T13:02:06Z https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482933#M269938 <HTML><HEAD></HEAD><BODY><P>Thanks Guys for your help and feedback. I will implement this in few weeks time and will let you know. </P></BODY></HTML> Mon, 10 Feb 2014 13:11:19 GMT https://community.cisco.com/t5/network-security/ip-sec-tunnel-to-a-firewall-in-dmz-of-another-firewall/m-p/2482933#M269938 mazars-cisco 2014-02-10T13:11:19Z