Solved: Lan to Lan VPN on ASA - only one public address.....

robward · ‎08-07-2012

Hello, I need to find a way around this issue.

We have an ASA 5510 running 8.3 that we need to use to terminate a LAN to LAN IPSEC VPN.

Problem is we only have one public address available so have had to configure the link between the ASA and the Internet Router on private addresses.

Is it possible to NAT the public address to the inside or outside interface of the ASA and terminate the VPN on that interface?

If not do I have any other options?

Thanks in advance!

Rob

Jennifer Halim · ‎08-07-2012

No, you can't NAT the interface IP address of the ASA on the ASA itself, that is not supported.

You also can't terminate the VPN tunnel across the interface on the ASA.

How and where are you currently doing NAT for internet access? Can't you configure the NAT on the same device where you currently configure your NAT?

View solution in original post

Jennifer Halim · ‎08-07-2012

You can't use any other ip addresses but the interface ip address on the ASA to terminate the VPN tunnel.

So if your ASA outside interface has public ip address, that is perfect, you can just terminate the VPN on the outside interface.

If the ASA outside interface has private ip address, you can configure NAT on the internet router to static PAT the ASA outside private ip address to the public IP.

robward · ‎08-07-2012

Hi Jennifer, thanks for the reply.

The outside interface of the ASA is on a private address, this is because we only have one public address available.

So what you're saying is we need to NAT the public IP address onto the outside interface IP address of the ASA?

If so what would the NAT rule look like?

Regards

Rob

Jennifer Halim · ‎08-07-2012

NAT needs to be done on the router, not the ASA.

If you are using cisco router, it will look something like this:

ip nat static source udp 500 500 extendable

ip nat static source udp 4500 4500 extendable

And remember to enable NAT-T on the ASA so the VPN can be encapsulated into UDP/4500.

robward · ‎08-07-2012

Sorry I probably didn't explain very clearly.

The Router is actually a L3 switch and quite an old one, I don't think NAT on the switch is an option here. We would struggle to get it through change control for starters.

Can I NAT the public IP address to one of the interface addresses on the ASA and terminate the VPN?

Jennifer Halim · ‎08-07-2012

No, you can't NAT the interface IP address of the ASA on the ASA itself, that is not supported.

You also can't terminate the VPN tunnel across the interface on the ASA.

How and where are you currently doing NAT for internet access? Can't you configure the NAT on the same device where you currently configure your NAT?

robward · ‎08-08-2012

Thanks Jennifer, I just needed to know that.

We've scheduled some work now that will mean we can reclaim a /29 of public address space so will use this for the outside of the ASA.

Regards

Rob

Jennifer Halim · ‎08-08-2012

Great, that would make things a lot simpler.