02-16-2015 04:39 PM - edited 02-21-2020 08:05 PM
Hi,
We are trying to setup a IPSec VPN tunnel to a remote office. Our setup is
Remote office: ISP > ASA5505 > Internal servers
Our HQ: ISP > Router 3925 > ASA5525 > Internal LAN Switch
At HQ all NATing is done at Router. ASA5525 is pure firewall.
My question is, can I assign a public IP to the outside interface of the ASA5525 at the HQ and setup a IPSec tunnel between the 2 ASAs?
Originally I thought of setting the IPSec tunnel between the ASA5505 and the router 3925 but for that we need to get the Security License for the router which cost us $$$. Trying to avoid it.
Please let me know if this setup is feasible.
Solved! Go to Solution.
02-16-2015 11:52 PM
Hello, NInja Black.
Yes, it is possible to assign external IP address to ASA. There is 2 possible ways:
1. You can link external IP addres to ASA by the line at 3925:
ip nat inside source static [IP_ASA] [External_IP] extendable
2. You can use PAT if you have only 1 external IP address. The lines for it:
ip nat inside source static tcp [IP_ASA] 51 [External_IP] 51 extendable ip nat inside source static udp [IP_ASA] 500 [External_IP] 500 extendable ip nat inside source static udp [IP_ASA] 4500 [External_IP] 4500 extendable
Best Regards.
02-16-2015 11:52 PM
Hello, NInja Black.
Yes, it is possible to assign external IP address to ASA. There is 2 possible ways:
1. You can link external IP addres to ASA by the line at 3925:
ip nat inside source static [IP_ASA] [External_IP] extendable
2. You can use PAT if you have only 1 external IP address. The lines for it:
ip nat inside source static tcp [IP_ASA] 51 [External_IP] 51 extendable ip nat inside source static udp [IP_ASA] 500 [External_IP] 500 extendable ip nat inside source static udp [IP_ASA] 4500 [External_IP] 4500 extendable
Best Regards.
02-17-2015 06:31 AM
Thanks AllertGen.
As I have enough Public IPs I will be using the first option.
By the way, the VPN can be configured on the ASA during office hours right. This shouldn't impact any business usage. Correct?
02-17-2015 07:01 AM
Hi, NInja Black.
It shouldn't impact business work if you do it right (If you don't use NAT at ASA and if you'd not do mistake at IP addresses).
Best Regards.
02-17-2015 07:32 AM
Great. Thank you so much AllertGen. Appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide