cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
5
Replies

ASA L2L WAN IP to Public Peers

v0r73x117
Level 1
Level 1

Hi All,

I have the requirement to set up a VPN from our network to a Developer with the basic topology below:

Our Private Subnet -- ASA (WAN IP) -- VPN -- Developer Public Endpoint --- Developer Protected Public IPs

So the developer has a bunch of public IPs that are protected behind a single endpoint, in order for us to access them we need our External IP to establish a VPN to that endpoint.

If I understand correctly we wont be using NAT as the internal IPs will PAT behind the external IP - traffic destined to the Developer Public IPs will then bring up the VPN tunnel and all works as expected (I think?!)

Below is the basic config off the top of my head, is this correct or am I getting very confused?

object network DEVELOP1
 host 2.2.2.2
object network OUR-WAN
 host 1.1.1.1
object network OUR-LAN
 subnet 192.168.10.0 255.255.255.0
!
nat (vlan10,outside) after-auto source dynamic OUR-LAN OUR-WAN
!
access-list outside_cryptomap extended permit ip object OUR-WAN object DEVELOP1
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 5.5.5.5
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
!
crypto map outside_map interface outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
!
group-policy GroupPolicy_5.5.5.5 internal
group-policy GroupPolicy_5.5.5.5 attributes
 vpn-tunnel-protocol ikev1
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 general-attributes
 default-group-policy GroupPolicy_5.5.5.5
tunnel-group 5.5.5.5 ipsec-attributes
 ikev1 pre-shared-key thepassword

1 Accepted Solution

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi,

You can have the communication with the public to public IP stack through L2L tunnel...... All you need is NAT/PAT at both ends and your cryptomap statement should be with your NAT or PAT address.... instead of private LAN.... by looking at your config it seems to be okay... Also i hope your LAN users only initiate the traffic right???

 

Because for going out, you can have a generic PAT... but when the other end accepts that traffic either thy should have a dedicated Static NAT or direct public IP's of the servers at their end... or atleast port forwarding king of thing they should have done at their end...... If both the ends have a generic pat then it wont work.

 

Regards

Karthik

View solution in original post

5 Replies 5

nkarthikeyan
Level 7
Level 7

Hi,

You can have the communication with the public to public IP stack through L2L tunnel...... All you need is NAT/PAT at both ends and your cryptomap statement should be with your NAT or PAT address.... instead of private LAN.... by looking at your config it seems to be okay... Also i hope your LAN users only initiate the traffic right???

 

Because for going out, you can have a generic PAT... but when the other end accepts that traffic either thy should have a dedicated Static NAT or direct public IP's of the servers at their end... or atleast port forwarding king of thing they should have done at their end...... If both the ends have a generic pat then it wont work.

 

Regards

Karthik

Hi Karthik,

Thanks for the response, that was my initial understanding so hopefully it's correct.

Yes traffic is initiated from LAN users where the other side does have direct public IPs we are accessing. Would there be any further considerations should our outside interface have a different IP then the one we are binding our vlan10 traffic to (the developer will use the vlan10 bound WAN IP as the peer)?

For instance:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 8.8.8.8 255.255.255.0
!
interface Ethernet0/1.10
 vlan 10
 nameif vlan10
 security-level 100
 ip address 192.168.10.254 255.255.255.0

Hi,

 

Yes. Preferred to use a dedicated PAT IP for S2S, since you need to differentiate the traffic between the L2L and other generic traffic.....

 

I have done this in my experience it works like a charm.....

 

Regards

Karthik

Hi Karthik,

Sorry are you saying that example is correct?

If we PAT traffic for our VLAN10 out 1.1.1.1 for example, it's this IP that we use as the Peer as it is also the IP that it will see as the interesting traffic to bring up the VPN when destined to the developers IPs?

Normal internet traffic for our inside network is then using PAT behind the outside 8.8.8.8 IP so all should work as hoped?

Thanks again.

 

Hi,

 

Yes....

 

You can have the dedicated PAT ip for Site to Site tunnel traffic and you can map a NAT for outside interface for other generic traffic....

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: