03-20-2010 04:29 AM - edited 02-21-2020 04:33 PM
Hello guys,
I have Cisco ASA5520 that is facing ISP with private IP address. We have no router and how to route IPSec VPN accross the internet?
The issue is outside interface pointing to ISP is private IP address and inside as well.
Firewall config:
Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0
Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100
I have public IP block 199.9.9.1/28
How can I use the public IP address to create IPSec VPN tunnel between two sites accross the internet?
should I assign one public IP address on the Gig1 inside interface with security-level 100 and how to apply the inside to route on this interface?
If I configure >>firewall inside Gi1 interface ip address 199.9.9.1/28 with security-level 100. How do I make sure VPN traffic route through this interface accross the internet?
I am used to assigning public IP address to outside interface of the firewall and private IP address to inside interface.
Please help with configuration examples and advise.
Thanks,
Eric
Solved! Go to Solution.
03-20-2010 05:21 AM
Unfortunately you can only terminate VPN connection on the interface where the VPN connection is coming from, in your case the outside interface.
3 options:
1) Connect a router in front of the ASA, and assign your public ip address to the ASA outside interface.
OR/
2) If your ISP can perform static 1 to 1 translation, then you can still terminate the VPN on the outside interface, and ask your ISP what is the static ip address assigned for your ASA outside ip address (10.0.1.2) - this allows you to initiate the VPN bidirectionally
OR/
3) If your ISP performs PAT (dynamic NAT), then you can only initiate the VPN tunnel from ASA side, and the other end of the tunnel needs to be configured to allow dynamic LAN-to-LAN VPN.
03-20-2010 05:21 AM
Unfortunately you can only terminate VPN connection on the interface where the VPN connection is coming from, in your case the outside interface.
3 options:
1) Connect a router in front of the ASA, and assign your public ip address to the ASA outside interface.
OR/
2) If your ISP can perform static 1 to 1 translation, then you can still terminate the VPN on the outside interface, and ask your ISP what is the static ip address assigned for your ASA outside ip address (10.0.1.2) - this allows you to initiate the VPN bidirectionally
OR/
3) If your ISP performs PAT (dynamic NAT), then you can only initiate the VPN tunnel from ASA side, and the other end of the tunnel needs to be configured to allow dynamic LAN-to-LAN VPN.
03-20-2010 12:11 PM
Halijenn,
Thank you so much for your confirmation and I will communicate with my ISP for possibly resolving this issue. Currently the two sites are exchanging traffic through host-to-host nat translation via the internet. We wanted a through VPN where traffic can flow bidirectional.
Thanks,
Eric
03-23-2010 01:31 PM
Hi, My ISP confirmed that the public IP address is resgister with the private.My only option is to use ASA firewall without a Router. ASA Firewall facing >>ISP with private IP address. How can I utilize the public IP address to initiate VPN site-to-site tunnel? I thought of using global PAT below. Can this config and using 199.9.9.1 to initiate VPN tunnel with other office will work? Please advice with your best examples
CiscoASA#interface Gi0
CiscoASA#nameif outside
CiscoASA#address 10.0.1.2 255.255.255.255.0
CiscoASA#security-lvel 0p
CiscoASA#interface Gi1
CiscoASA#nameif inside
CiscoASA#192.168.1.1 255.255.255.0
CiscoASA#security-level 100
CiscoASA#igmp forward interface ouside
CiscoASA#interface Gi2
CiscoASA#nameif inside
CiscoASA#security-level 50
CiscoASA#ip address 199.9.9.1 255.255.255.0
CiscoASA#igmp forward interface ouside
CiscoASA#same-security-traffic permit intra-interface
CiscoASA#access-list outside in extended permit icmp any any
CiscoASA#access-list outside in extended permit tcp any any
CiscoASA#global (inside, outside) 1 199.9.9.2 netmask 255.255.0.0
CiscoASA#global (outside, inside) 1 10.0.1.2 255.255.255.0
CiscoASA#nat (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
Thanks,
Eric
Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0
Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100
I have public IP block 199.9.9.1/28
03-23-2010 05:39 PM
please advice and your input
03-23-2010 08:47 PM
Hi Eric,
Unfortunately you can use any other ip address than the interface that terminate the VPN tunnel, and in your case it will be your outside ip address.
Please also be advised that there is no "global (inside,outside)" command. On ASA, dynamic NAT/PAT would be the nat and global pair configuration, and for static translation, it would be the static (inside,outside) configuration.
The only option would be for your ISP to configure a static translation for your ASA outside ip address (10.0.1.2) to your public ip address. Please make sure that it is a static translation instead of dynamic translation so you can initate the VPN tunnel from both ends.
Once the translation has been setup on your ISP router, the remote site, or vpn client ipsec configuration will peer to your ASA with that public ip address that has been setup on your ISP router.
For example:
On your ISP router, you would configure static translation for ASA outside ip address of 10.0.1.2 to public ip address of 199.9.9.2.
For all the VPN peers to establish the tunnel, they would need to specify the public ip address of 199.9.9.2.
Important thing to remember is to have static translation, instead of dynamic translation.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide