02-27-2011 03:43 PM - edited 03-11-2019 12:57 PM
Hello, We have cisco 5510 and on our floor we have client who we provide internet connection. One of our client has small server and 2 computers and they want setup vpn connection so they can access their server from outside. We have only one static public ip for firewall and exchange. We don't want provide another public static ip to the our client so they can setup the vpn. Is their any other way to setup vpn for them? can they the use our 1 public ip for vpn? thanks
Solved! Go to Solution.
 
					
				
		
02-27-2011 05:18 PM
I see that you have interface Ethernet0/2 configured for 10.10.11.0/24 subnet, however, it has not been named yet. Assuming that you are going to name it "inside-companyA":
If you want to use the outside ip address (24.243.234.42), here is the configuration:
static (inside-companyA,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255
access-list 100 extended permit tcp any interface outside eq 1723
If you want to use a spare ip address (24.243.234.45) just for PPTP, then here is the configuration:
static (inside-companyA,outside) 24.243.234.45 10.10.11.60 netmask 255.255.255.255
access-list 100 extended permit tcp any host 24.243.234.45 eq 1723
Hope that helps.
 
					
				
		
02-27-2011 03:49 PM
Are they looking to terminate the VPN on your ASA5510 or they are looking to terminate VPN on their own servers (ie: VPN traffic passing through your ASA5510)?
Also, which VPN are they looking to setup? PPTP? IPSec? SSL?
Depending on which VPN and where they would like to terminate, there are options.
If they would like to terminate the VPN on your ASA, then you would need to configure the VPN for them and allow them access to their hosts. And the VPN will be terminated on your ASA outside interface public ip address.
If they would like to terminate the VPN on their own equipment, then you would need to find out which type of VPN they are trying to setup.
02-27-2011 03:55 PM
Thanks for the fast reply Jennifer, they want terminate the vpn own their equipment and i believe they want use PPTP. What are the options with this?
 
					
				
		
02-27-2011 04:02 PM
PPTP works on 2 protocols:
1) Control: TCP/1723
2) Data: GRE
Do you only have 1 public ip address assigned to your ASA outside interface IP?
Or you have 1 extra spare public ip address?
Also, are you currently using that particular public ip for anything else?
Depending on what is the current static translation configuration you have, based on the answer to above questions, you will also need to enable "inspect pptp" on your current global policy-map.
Here is the information on "inspect pptp" for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1741718
02-27-2011 04:12 PM
pptp is areadly enabled on 5510. The static public ip is being used for remote access to the server and this ip has vpn tunnel configured with our remote site. do i need to enable anything else on 5510? how should the configure the vpn?
Do have spare ip but i want keep the of our own use rather then providing to client.
 
					
				
		
02-27-2011 04:15 PM
Since they will be terminating the PPTP on their own server, you only need to create static PAT translation for the server on TCP/1723, and of course access-list on the outside interface to allow TCP/1723 too.
02-27-2011 04:25 PM
Jennifer thanks, can you tell me how to create static pat transaltion for the server on tcp/1723 and access-liston the outside interfac
If i do give them spreate ip address then how to configur that?
again thank you very much for your time.
 
					
				
		
02-27-2011 04:32 PM
Can you pls share the your existing configuration so i can give you the exact command?
Also what public ip address you would like to use for this?
and what is their internal server ip address?
and if you give them separate ip address, please also advise the ip address.
Depending on which version of ASA you have, the config will be different.
02-27-2011 05:09 PM
I want use our cuurent ip for example: 24.243.234.42...we are using this ip for remote access and vpn tunnel for remote site. Should not be an issue right?
lets say their internal server ip is 10.10.11.60.
Lets say i have to provide seprate ip address then it's going to be 24.243.234.45.
Also is their any security risk doing this?
following is in example of our configs:
:
ASA Version 8.0(4)
!
hostname ASA-A1
domain-name domain.net
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 24.243.234.42 255.255.255.224
!
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.10.10.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 100
ip address 10.10.11.5 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
 
					
				
		
02-27-2011 05:18 PM
I see that you have interface Ethernet0/2 configured for 10.10.11.0/24 subnet, however, it has not been named yet. Assuming that you are going to name it "inside-companyA":
If you want to use the outside ip address (24.243.234.42), here is the configuration:
static (inside-companyA,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255
access-list 100 extended permit tcp any interface outside eq 1723
If you want to use a spare ip address (24.243.234.45) just for PPTP, then here is the configuration:
static (inside-companyA,outside) 24.243.234.45 10.10.11.60 netmask 255.255.255.255
access-list 100 extended permit tcp any host 24.243.234.45 eq 1723
Hope that helps.
02-27-2011 05:38 PM
Thank you very much.
Interface Ethernet0/2 was being used for mpls but not anymore. so if i do the following with our current ip address then it should work right?
static (inside,outside) tcp interface 1723 10.10.11.60 1723 netmask 255.255.255.255
access-list 100 extended permit tcp any interface outside eq 1723
 
					
				
		
02-27-2011 08:19 PM
Providing that 10.10.11.0/24 will be routed out the inside interface, yes, you are absolutely correct.
As per your current configuration, I don't see route for 10.10.11.0/24 towards your inside interface, hence just would like to double confirm how the ASA is reaching the 10.10.11.0/24.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide