Cisco ASA behind Layer Three Switch, NAT public IP to itself

Zain.Zainal · ‎04-07-2014

I'm building a transit network with our internet provider terminating on a layer 3 switch. The IP addresses below are all made up.

| ISP Router 1.1.1.1/32 | ---------- | Layer 3 Switch 1.1.1.2/32 |

And the ISP will route our public range (2.2.2.0/24) to our layer 3 switch. From there, I can route this public range onto the outside of our ASA, which NATs the public IPs onto the private IPs of the servers in my LAN.

| Layer 3 Switch 10.0.0.1/32 | ---------- | Cisco ASA 10.0.0.2/32 |

ip route 2.2.2.0 255.255.255.0 10.0.0.2

I think this will be fine for the servers behind the firewall, but I can't work out how to add a site-to-site VPN on the firewall. Obviously I can't route to 10.0.0.2 over the public internet, but I can't see how to get the firewall to see an incoming packet for one of the public IPs, and treat that as if it was sent to the Firewall. Do I need a static NAT statement from the public IP (2.2.2.1) to the private IP of the firewall (10.0.0.2)?

Has anyone else ever come across this problem? Any ideas?

Julio Carvajal · ‎04-07-2014

Hello,

The NAT statement will not be done on the ASA as it has a private IP address on the outside interface.

So you will either need to tell the ISP to do some sort of DMZ capability to one on the public IP address they have and then just wait for the packets to arrive to the Firewall.

Nat traversal will be used here to make this happen through a NAT device.

This is a common scenario but NAT wil be needed here to make it happen at some place :)

Regards.

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC