Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Static IP ASA network to Dynamic/NATed ASA network. Pass thru public IP to private IP over VPN.

I recently had a client get a 'snow job' from their internet provider.  They had decent internet service with a public static ip that seeming now is no longer good once they were bought out by a larger company.  The company 'upgraded' them to use their new LTE network.  Management went ahead with this without checking with IT (me) and their new internet services does not have any static ip options AND it doesn't even have a real public ip being delivered to our router.  All traffic arrives in a 192.168.209.x NATed network.


I've been able to restore the VPN doing the STATIC to DYNAMIC IPSEC setup but now I want to assign a STATIC IP at SITE A to route to a private IP at SITE B.  I've done this before many years ago with ASA 5505's on v7 but lost the config.


SITE A is ASA 5512x on 8.6(1)2

SITE B is ASA 5505 on 8.2(5)


I have a /26 network at SITE A and have many working inbound routes for public IPs to private IP for servers at SITE A.  I'd like to assign one of the spare PUBLIC IP's at SITE A and have specified ports forwarded to a private IP at SITE B.

ie. SITE A  - port 80 -> VPN -> SITE B web server port 80.


I copied existing working configuration that routes public IPs from SITE A to private IPs at SITE A but it doesn't seem to work when putting in the SITE B private IP.  From SITE A network I can access the server using the private IP so the VPN is fine.


object network SITE_B_PRIVATE

object network SITE_A_PUBLIC

object network SITE_B_PRIVATE
nat (inside,outside) static SITE_A_PUBLIC


access-list OUTSIDE_ACL extended permit tcp any object SITE_A_PRIVATE eq http


When I show the access-list OUTSIDE_ACL I do see the hit count go up when hitting the public IP on port 80 from external sources but it doesn't make the final connection to the server at SITE B.


Any thoughts? 


Thanks, Paul.