Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
4
Replies

IPSec tunnel to an internal ASA5525?

Go to solution
NInja Black
Level 1
Level 1

‎02-16-2015 04:39 PM - edited ‎02-21-2020 08:05 PM

Hi,

 

 We are trying to setup a IPSec VPN tunnel to a remote office. Our setup is

 

Remote office: ISP > ASA5505 > Internal servers

Our HQ: ISP > Router 3925 > ASA5525 > Internal LAN Switch

 

At HQ all NATing is done at Router. ASA5525 is pure firewall.

 My question is, can I assign a public IP to the outside interface of the ASA5525 at the HQ and setup a IPSec tunnel between the 2 ASAs?

Originally I thought of setting the IPSec tunnel between the ASA5505 and the router 3925 but for that we need to get the Security License for the router which cost us $$$. Trying to avoid it.

 

Please let me know if this setup is feasible.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AllertGen
Level 3
Level 3

‎02-16-2015 11:52 PM

Hello, .

Yes, it is possible to assign external IP address to ASA. There is 2 possible ways:

1. You can link external IP addres to ASA by the line at 3925:

ip nat inside source static [IP_ASA] [External_IP] extendable

2. You can use PAT if you have only 1 external IP address. The lines for it:

ip nat inside source static tcp [IP_ASA] 51 [External_IP] 51 extendable
ip nat inside source static udp [IP_ASA] 500 [External_IP] 500 extendable
ip nat inside source static udp [IP_ASA] 4500 [External_IP] 4500 extendable

Best Regards.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
AllertGen
Level 3
Level 3

‎02-16-2015 11:52 PM

Hello, .

Yes, it is possible to assign external IP address to ASA. There is 2 possible ways:

1. You can link external IP addres to ASA by the line at 3925:

ip nat inside source static [IP_ASA] [External_IP] extendable

2. You can use PAT if you have only 1 external IP address. The lines for it:

ip nat inside source static tcp [IP_ASA] 51 [External_IP] 51 extendable
ip nat inside source static udp [IP_ASA] 500 [External_IP] 500 extendable
ip nat inside source static udp [IP_ASA] 4500 [External_IP] 4500 extendable

Best Regards.

0 Helpful

Go to solution
NInja Black
Level 1
Level 1
In response to AllertGen

‎02-17-2015 06:31 AM

Thanks AllertGen.

As I have enough Public IPs I will be using the first option.

By the way, the VPN can be configured on the ASA during office hours right. This shouldn't impact any business usage. Correct?

0 Helpful

Go to solution
AllertGen
Level 3
Level 3
In response to NInja Black

‎02-17-2015 07:01 AM

Hi, NInja Black.

It shouldn't impact business work if you do it right (If you don't use NAT at ASA and if you'd not do mistake at IP addresses).

Best Regards.

0 Helpful

Go to solution
NInja Black
Level 1
Level 1
In response to AllertGen

‎02-17-2015 07:32 AM

Great. Thank you so much AllertGen. Appreciate it.

0 Helpful
Customers Also Viewed These Support Documents