Please can someone provide a sample configuration for terminating A VPN on the inside interface which has a private address, passing through the outside interface.
I am OK setting up VPNs on the outside interface but I'm struggling to set one up that goes through the firewall.
If you're talking about ASA, I think it can't be done, once I tried very hard and that doesn't work as expected.
If you're talking about ISRs then my suggestion is to use a tunnel interface.
It was on an ASA 5510.
I gave up in the end and got a static IP for the WAN interface. BT provide the No NAT 5 service so I can't be the only one that has come across this issue.
Thanks for the response though.
Just out of interest, what was the reason to even attempt to configure the VPN on the "inside" interface of the ASA? I have never run into a situation where I would even need to consider such a setup.
The IP address that is assigned to the outside interface (when BT provide 'No NAT 5') is dynamic.
I realise I can set up a VPN with a dynamic address but this will be problematic when dealing with third parties.
The 5 static IP addresses that are assigned are on a different subnet to the one dynamically assigned to the outside interface. BT route the traffic for the static subnet to the dynamically assigned IP address (dynamic peering).
I tried assigning one of the static IPs to an interface and applying the crypto map to the inside (it was a DMZ actually) interface. I also tried NATing the static IP to an inside private address with no luck.
I'd still be interested to know if terminating a VPN through the firewall can be done. There's some stuff on Google that suggests it can be done but I had no success. I couldn't get phase 1 complete. I could see attempts to set it up so the routing and interesting traffic were correctly identified.