Outside interface non-routable address

ryan.gutierrez · ‎08-30-2012

Greetings all,

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.

I work for a state agency and our network connectivity is provided to us by another agency/department. The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network. I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication. My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.

I was toying around with the idea of putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.

Thanks for all your help and feel free to let me know if I'm crazy and it's not going to work.

Marvin Rhoads · ‎08-30-2012

You should try to get the other agency to assign a static NAT for your 10.0.8.162. Then your clients can point to that public IP and you will receive their requests intact with only your address changed to its real value.

I don't think you can "fool" the ASA into NATting its own outside address for traffic whose destination is the ASA itself (e.g the IPsec VPN session establishment and maintenance)