Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
3
Replies

L2L VPN Between Local Site (Public IP) And Remote Site (NAT IP)?

kbrinnehl
Level 1
Level 1

‎10-03-2013 07:54 AM - edited ‎03-11-2019 07:46 PM

We are looking to setup an ASA 5510 (running ASA 8.3.2) at a remote site that we need to connect back to the ASA 5520 (running ASA 8.2.4) at our central office via L2L tunnels. The issue we are having is that the remote site is on another organization's network, and they are only giving us a private IP address for the outside interface on that ASA. They are however willing and able to NAT that address to one of their public IP addresses on their router or firewall. They just aren't able to route it to the location where our ASA will be so we can assign it to the outside interface.They said that routing the IP over to our device would be possible if absolutely necessary, but they aren't eager to do so. 

So, the question is, is there a way to build a tunnel between the two ASA devices, where one ASA would have a public/internet routable address, and the other ASA would have a private address that is NAT'd upstream to a public routable address? Are we looking at needing building a dynamic tunnel from the remote host to our central office? Or is there still a way to do a static tunnel? I haven't had good luck with dynamic tunnels in the past, so I'm leary of going down that path if there is another choice available.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎10-03-2013 08:00 AM

Hi,

You say they are willing to NAT the local ASA to one of their public IP addresses?

So I assume it isnt NATed to its own IP address with Static NAT then?

- Jouni

0 Helpful

kbrinnehl
Level 1
Level 1
In response to Jouni Forss

‎10-03-2013 08:18 AM

Thanks for the response. The firewall currently isn't in place, and won't be until we can figure out this tunnel issue. They are proposing that we static NAT the traffic to the outside address of the ASA (private IP) that they want us to assign to the ASA, and then they'll NAT it at their gateway device (unsure if it's a router or another ASA) to the static public address that they are willing to give us.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kbrinnehl

‎10-03-2013 08:24 AM

Hi,

Well to my understanding that should be fine as some of our customers want to use (or rather 3rd party that provides the devices) their own devices sometimes behind our Cisco FWSM or ASA Firewalls. We then usually provide them with a public IP address that will be translated to the local WAN IP address of the VPN device with Static NAT

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card