Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2241
Views
0
Helpful
11
Replies

cisco 5510 vpn

Go to solution
lawsuites
Level 1
Level 1

‎02-27-2011 03:43 PM - edited ‎03-11-2019 12:57 PM

Hello, We have cisco 5510 and on our floor we have client who we provide internet connection.  One of our client has small server and 2 computers and they want setup vpn connection so they can access their server from outside.  We have only one static public ip for firewall and exchange.  We don't want provide another public static ip to the our client so they can setup the vpn.  Is their any other way to setup vpn for them? can they the use our 1 public ip for vpn? thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-27-2011 05:18 PM

I see that you have interface Ethernet0/2 configured for 10.10.11.0/24 subnet, however, it has not been named yet. Assuming that you are going to name it "inside-companyA":

If you want to use the outside ip address (24.243.234.42), here is the configuration:

static (inside-companyA,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255

access-list 100 extended permit tcp any interface outside eq 1723

If you want to use a spare ip address (24.243.234.45) just for PPTP, then here is the configuration:

static (inside-companyA,outside) 24.243.234.45 10.10.11.60 netmask 255.255.255.255

access-list 100 extended permit tcp any host 24.243.234.45 eq 1723

Hope that helps.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-27-2011 03:49 PM

Are they looking to terminate the VPN on your ASA5510 or they are looking to terminate VPN on their own servers (ie: VPN traffic passing through your ASA5510)?

Also, which VPN are they looking to setup? PPTP? IPSec? SSL?

Depending on which VPN and where they would like to terminate, there are options.

If they would like to terminate the VPN on your ASA, then you would need to configure the VPN for them and allow them access to their hosts. And the VPN will be terminated on your ASA outside interface public ip address.

If they would like to terminate the VPN on their own equipment, then you would need to find out which type of VPN they are trying to setup.

0 Helpful

Go to solution
lawsuites
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 03:55 PM

Thanks for the fast reply Jennifer,  they want terminate the vpn own their equipment and  i believe they want use PPTP.  What are the options with this?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lawsuites

‎02-27-2011 04:02 PM

PPTP works on 2 protocols:

1) Control: TCP/1723

2) Data: GRE

Do you only have 1 public ip address assigned to your ASA outside interface IP?

Or you have 1 extra spare public ip address?

Also, are you currently using that particular public ip for anything else?

Depending on what is the current static translation configuration you have, based on the answer to above questions, you will also need to enable "inspect pptp" on your current global policy-map.

Here is the information on "inspect pptp" for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718

0 Helpful

Go to solution
lawsuites
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 04:12 PM

pptp is areadly enabled on 5510.  The static public ip is being used for remote access to the server and this ip has vpn tunnel configured with our remote site.  do i need to enable anything else on 5510? how  should the configure the vpn?

Do have spare ip but i want keep the of our own use rather then providing to client. 

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lawsuites

‎02-27-2011 04:15 PM

Since they will be terminating the PPTP on their own server, you only need to create static PAT translation for the server on TCP/1723, and of course access-list on the outside interface to allow TCP/1723 too.

0 Helpful

Go to solution
lawsuites
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 04:25 PM

Jennifer thanks, can you tell me how to create static pat transaltion for the server on tcp/1723 and access-liston the outside interfac

If i do give them spreate ip address then how to configur that?

again thank you very much for your time.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lawsuites

‎02-27-2011 04:32 PM

Can you pls share the your existing configuration so i can give you the exact command?

Also what public ip address you would like to use for this?

and what is their internal server ip address?

and if you give them separate ip address, please also advise the ip address.

Depending on which version of ASA you have, the config will be different.

0 Helpful

Go to solution
lawsuites
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 05:09 PM

I want use our cuurent ip for example: 24.243.234.42...we are using this ip for remote access and vpn tunnel for remote site.  Should not be an issue right?

lets say their internal server ip is  10.10.11.60.

Lets say i have to provide seprate ip address then it's going to be 24.243.234.45.

Also is their any security risk doing this?

following is in example of our configs:

:

ASA Version 8.0(4)

!

hostname ASA-A1

domain-name domain.net

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 24.243.234.42 255.255.255.224

!

interface Ethernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.10.10.200 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

security-level 100

ip address 10.10.11.5 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

security-level 100

no ip address

management-only

!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-27-2011 05:18 PM

I see that you have interface Ethernet0/2 configured for 10.10.11.0/24 subnet, however, it has not been named yet. Assuming that you are going to name it "inside-companyA":

If you want to use the outside ip address (24.243.234.42), here is the configuration:

static (inside-companyA,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255

access-list 100 extended permit tcp any interface outside eq 1723

If you want to use a spare ip address (24.243.234.45) just for PPTP, then here is the configuration:

static (inside-companyA,outside) 24.243.234.45 10.10.11.60 netmask 255.255.255.255

access-list 100 extended permit tcp any host 24.243.234.45 eq 1723

Hope that helps.

0 Helpful

Go to solution
lawsuites
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 05:38 PM

Thank you very much.

Interface Ethernet0/2 was being used for mpls but not anymore. so if i do the following with our  current ip address then it should work right?

static (inside,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255

access-list 100 extended permit tcp any interface outside eq 1723

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to lawsuites

‎02-27-2011 08:19 PM

Providing that 10.10.11.0/24 will be routed out the inside interface, yes, you are absolutely correct.

As per your current configuration, I don't see route for 10.10.11.0/24 towards your inside interface, hence just would like to double confirm how the ASA is reaching the 10.10.11.0/24.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card