08-13-2010 10:35 AM - edited 02-21-2020 04:47 PM
Hy Guys,
i have a question.
I need to build an IPSec VPN using the ASA-5500 firewall, but I only have one ip-address invalid on my outside interface 192.168.x.y. This interface is connected to the Ethernet router, the provider that make a single default route to a valid address 200.140.x.y passing by the interface outside of the
ASA-5500.
How can I publish this 200.140.xy valid address for access to my VPN users?
The topology is attached.
Please help me../.
Thanks a lot
Anderson
Solved! Go to Solution.
08-14-2010 10:18 AM
Hello,
First of all, it is not Miss.. It is Mr.
For your question, from the configuration, your ISP is translating the
public IP to your ASA's inside IP. So, I don't see any issues over there.
One thing I noticed is your default gateway on the firewall pointing to .1
when the inside interface of ISP router is .4. To verify connectivity, try
the following:
on the firewall:
ssh 0.0.0.0 0.0.0.0 outside
crypto key generate rsa modulus 1024
Once above commands are entered, try to ssh to the public IP address. If you
are able to login to the ASA using the public IP, that means the public IP
is directly getting translated to ASA and you should not have any problem in
using that IP for VPN.
Hope this helps.
Regards,
NT
08-14-2010 09:03 AM
Hello,
It seems like your ISP is translating 200.140.x.y address to the outside
interface IP of the ASA. Can you ping 200.140.x.y address from internet?
(Make sure that you have enabled icmp on the outside interface "icmp permit
any outside"). If that is working, then you can use that IP for VPN
purposes.
Hope this helps.
Regards,
NT
08-14-2010 09:34 AM
Hy Miss Thanthry,
thanks for your answer...
i cannot ping the 200.212.x.y address from the internet.
The guy from the ISP make a NAT of 200.246.x.y to my outside interface of ASA.
In the ISP ROUTER
interface FastEthernet0/0 description *** CONECT TO LAN *** ip address 192.168.254.4 255.255.255.248 ip accounting output-packets ip nat inside duplex auto speed auto
interface Serial0/0/0 bandwidth 2048 ip address 200.245.K.K 255.255.255.252 ip nat inside encapsulation ppp ip route-cache flow no fair-queue
ip forwa rd-protocol nd ip route 0.0.0.0 0.0.0.0 200.245.141.37 ip route 172.16.0.220 255.255.255.255 192.168.254.2 ip route 200.212.x.0 255.255.255.192 192.168.254.2 ip route 200.212.x.y 255.255.255.255 192.168.254.5no ip http server no ip http secure-server ip nat inside source static 200.212.x.y 192.168.254.5 [only one ip address]In the ASA
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.254.5 255.255.255.248
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.0.103 255.255.252.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
access-list 101 extended permit icmp any any
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
But, cannot work the VPN...
08-14-2010 10:18 AM
Hello,
First of all, it is not Miss.. It is Mr.
For your question, from the configuration, your ISP is translating the
public IP to your ASA's inside IP. So, I don't see any issues over there.
One thing I noticed is your default gateway on the firewall pointing to .1
when the inside interface of ISP router is .4. To verify connectivity, try
the following:
on the firewall:
ssh 0.0.0.0 0.0.0.0 outside
crypto key generate rsa modulus 1024
Once above commands are entered, try to ssh to the public IP address. If you
are able to login to the ASA using the public IP, that means the public IP
is directly getting translated to ASA and you should not have any problem in
using that IP for VPN.
Hope this helps.
Regards,
NT
08-14-2010 10:26 AM
Thanks a lot MR Thanthry,
I will test on Monday ..
Thank you.
att
Anderson
Anderson
08-16-2010 11:15 AM
Thank you Mr. Thanthry
today morning i make all the tests and the envoirement works pretty good.
thank you a lot
att
Anderson Oliveira de Andrade
CCVP, CCNP, CCIEv wr exam.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide