Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
3
Replies

[Cisco ASA 5510] Can we use external IP as encryptoin domain in IPsec? How ?

mohitvicky
Level 1
Level 1

‎06-18-2014 08:15 PM - edited ‎02-21-2020 07:41 PM

In a IPsec site to site VPN, can we use an external public IP as encryption domain. And will the traffic forwarded to that external public IP ?

Here is a diagram to explain the scenario better.

Host 10.x.x.70 does not have internet connectivity, it wants to connect to 54.x.x.168 via IPsec tunnel.

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎06-18-2014 10:36 PM

Hi Mohit,

 

Yes. You can achieve that using the NAT on your end VPN device. For that you need to create an access-list with Source as your LAN(Private) IP and have the actual destination as it is (54.x.x.168) in your scenario. You just have the NAT created for this access-list with some public IP.

 

You crypto-map ACL should have the NATed Public IP of your local LAN IP as source and destination is already a public zone. So no change is required. On the other end they have to create the crypto map to your public IP only.

 

If you do like that your scenario will work without any issue.

 

HTH

 

Regards

Karthik

0 Helpful

mohitvicky
Level 1
Level 1
In response to nkarthikeyan

‎06-19-2014 01:01 AM

Right now my crypto map acl source is 'any'. If i give specific IP, then ipsec phase doesn't get through.

 

Here is current conf:

access-list outside_cryptomap_2 extended permit ip any host 10.x.x.70

 

You are suggesting:

access-list name extended permit ip <LOCAL_IP> <net mast> host 54.x.x.168 

access-list outside_cryptomap_2 extended permit ip 54.x.x.168 host 10.x.x.70

Is this what you mean ?

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to mohitvicky

‎06-19-2014 01:57 AM

Hi Mohit,

You have to make changes @ both the ends if you have any rule....

Juniper Srx Side:

You have to NAT the 10.x.x.70 to a public IP using NAT. At the same time you have to make the required changes in crypto-map ACL of that or similar in Junos Platform. There Source is x.x.x.x (NAT IP of 10.x.x.x) & Destination would be 54.x.x.168.

On Cisco ASA side:

access-list outside_cryptomap_2 extended permit ip 54.x.x.168 host x.x.x.x ( NAT IP of 10.x.x.x)

 

So both the end crypto ACL negotiation will go through and communication heppens in the form of public IP to the Public IP..... That gives you the solution.

 

HTH

 

Regards

Karthik

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents