02-19-2013 06:44 AM - edited 03-11-2019 06:02 PM
I will be setting up a VPN with a client soon. They are shipping 2 Cisco 861's that are planning to go behind our ASA 5505. They are set up to be NATed.
I am trying to understand what the best way to do this would be as I seem to keep running into limitations of the ASA 5505.
Our ASA has a public IP of 2.1.2.14/30 assigned to it's outside interface.
The public IPs to be NATed to the 861's are 2.1.2.218 and 2.1.2.219/29.
1. How can I assign this seperate public IP block to the ASA? Is it even possible?
2. If not possible, what would other options be?
3. Would an upgraded license that allows for additional interfaces make this easier? (I would not do the NATing then, just assign the new public IP block to another interface)
Appreciate any help or suggestions.
02-19-2013 10:01 AM
Hi,
Are you saying that you are going to add Cisco routers behind your ASA 5505 firewall in the purpose of building VPN connections with the Cisco 861 routers?
If the only purpose of the 861's is providing a VPN connection I would forget that and configure the VPN on the ASA5505 itself and not the routers. Theres no reason to make the situation harder than it is.
Why are they shipping 2x 861?
- Jouni
02-19-2013 02:36 PM
I agree with you 100%. It's how we set up VPN to other companies.
However this one is very firm in the fact that we must use their hardware, 2 for redundancy I guess.
I am just thinking of NATing the public IP to a private IP for them.
Just have to brush up on my NATing...
02-19-2013 02:57 PM
Hi,
I personally run into these situations too and more than one occasion the users start to run into different kind of problems when they got additional hardware on their LAN that we dont manage.
If you HAVE to do this as you described I would need some additional information
The first thing mentioned above would be needed to confirm what NAT format to use.
Otherwise if the following 2 are true then there should be no problem using the additional IP address range on your ASA5505 firewall.
There are 2 ways to go.
Option 1.
Option 2.
Hopefully I made any sense. Please ask more if I was unclear about something above (which might be possible )
- Jouni
02-20-2013 05:09 AM
Jouni,
Thank you for the reply. It was very informative and helpful.
As to your questions:
1.Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(1)
2. Yes Base license with unlimited users. (No Security Plus)
3. We originally had a /30 subnet from the ISP. This would now allow us to have 2 spare public IPs so we requested additional IPs. They then gave us the /29 network to use.
I am leaning toward option 1. I was able to do a quick test using a basic NAT rule:
static (inside,outside) 2.1.2.219 192.168.5.29 netmask 255.255.255.255
I was then able to ssh to a host with the internal IP addess 192.168.5.29 from a server on the cloud using the public IP. 2.1.2.219.
I think the biggest hurdle for me will be coming up with the necessary NATing rules. Especially since the 861's will have a seperate private network (10.64.0.0/13) and I will need to allow for traffic between the two networks as well as traffic from the 10.64.0.0/13 network to have access to the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide