Solved: Allowing an IPSEC conn through and NAT it

alexis.katsavras · ‎03-12-2015

Hi there,

Was wondering if someone could point me in the right direction on this as I am fairly new to the security field.

I would like to only allow IPSEC connections through one of the public IP address on the ASA (ver 8.2(5)) outside interface. NAT it to a private address and route it out to the DMZ where there is a server for the IPSEC to terminate on.

Any help on achieving this would be great.

Thanks

alexis

http://www.netpacket.co.uk/ http://www.blog.netpacket.co.uk/

Adeolu Owokade · ‎03-12-2015

Hi Alexis,

The configuration below should work based on your ASA version.

You need to configure static NAT for the private to public translation:

static (DMZ,OUTSIDE) <public IP> <private IP> netmask 255.255.255.255

Then you need to allow the IPsec protocols through an ACL applied on the outside:

access-list OUTSIDE-IN permit udp any host <public IP> eq 500

access-list OUTSIDE-IN permit udp any host <public IP> eq 4500

access-group OUTSIDE-IN in interface OUTSIDE

UDP port 4500 is necessary because NAT is involved.

Let me know if this helps.

View solution in original post

Adeolu Owokade · ‎03-12-2015