03-12-2015 08:22 AM - edited 03-11-2019 10:38 PM
Hi there,
Was wondering if someone could point me in the right direction on this as I am fairly new to the security field.
I would like to only allow IPSEC connections through one of the public IP address on the ASA (ver 8.2(5)) outside interface. NAT it to a private address and route it out to the DMZ where there is a server for the IPSEC to terminate on.
Any help on achieving this would be great.
Thanks
alexis
Solved! Go to Solution.
03-12-2015 07:40 PM
Hi Alexis,
The configuration below should work based on your ASA version.
You need to configure static NAT for the private to public translation:
static (DMZ,OUTSIDE) <public IP> <private IP> netmask 255.255.255.255
Then you need to allow the IPsec protocols through an ACL applied on the outside:
access-list OUTSIDE-IN permit udp any host <public IP> eq 500
access-list OUTSIDE-IN permit udp any host <public IP> eq 4500
access-group OUTSIDE-IN in interface OUTSIDE
UDP port 4500 is necessary because NAT is involved.
Let me know if this helps.
03-12-2015 07:40 PM
Hi Alexis,
The configuration below should work based on your ASA version.
You need to configure static NAT for the private to public translation:
static (DMZ,OUTSIDE) <public IP> <private IP> netmask 255.255.255.255
Then you need to allow the IPsec protocols through an ACL applied on the outside:
access-list OUTSIDE-IN permit udp any host <public IP> eq 500
access-list OUTSIDE-IN permit udp any host <public IP> eq 4500
access-group OUTSIDE-IN in interface OUTSIDE
UDP port 4500 is necessary because NAT is involved.
Let me know if this helps.
05-08-2015 01:28 AM
Thanks for the help Adeolu .. took a while to actualy get round to implementing it.
alexis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide