Showing results for 
Search instead for 
Did you mean: 

Site to site VPN and Static Pat

My company has task me with connection two ASA 8.4 with public ip address to VPN into one another sites.

My question is I need to connect and configure two static public imp addresses to one another and test the connection between both Asia’s running 8.4.

I have been told that I need twice Nat the two ips to accomplish this task?

In addition, I need to configure a static Pat to allow ip public address to ports 80 and 443 for email only.

My ips are to they need to be static only.

Right know I'm am trying to test the configurations on our one ASA 5510 in the lab and an Extreme Network switch, before running them on our live network so far I have?

On the AS A, I configure the network object as follows:

Ethernet 0/1

nameif Test

ip address

no shut

network object obj-inmapped-

object network obj-outmapped-

Nat (inside, outside) source static obj-outmapped- destination static obj-inmapped-

The Static PAT Configure

object network obj_Test01_Pat-80


nat (inside, outside) static interface service tcp 80 80

object network obj_Test01_Pat-443


nat (inside, outside) static interface service tcp 443 443

Will this work in my test bed, or do I need to add more commands statements to complete this task?

This is my first time working with ASA’s, this is a new job for me, and this could be change to prove myself to my boss.

I would be very grateful for any help.

Thanks newbie.

Everyone's tags (5)

Site to site VPN and Static Pat


Cisco ASA (and the older PIX firewall) arent really the most user friendly devices to start out cold with. To even test the L2L VPN portion you would already need 2 ASAs or another VPN device to configure the L2L VPN

To my understanding you want to do following things

  • Connect 2 different sites with L2L VPN (Lan to Lan VPN)
  • Also configure Port forwarding for some Web services on your local ASA

First of all for L2L VPN configurations you will need to decide or find out the following things (Unless there is already some existing L2L VPN?)

  • VPN device public IP address for both device
  • Local Networks on both site which you want to use the L2L VPN
  • L2L VPN Phase1 and Phase2 parameters
  • etc

The configurations you mention above seem to be kinda strange.

Im not sure what you are trying to accomplish with the first one. Also the object names dont match with the actual NAT commands used object names

The Port Forward configurations seem ok configuration format wise, but I'm not sure what the source IP addresses used in the configurations are (192.168.5.x) since in the previous one they are totally different. Naturally I might just be mistaken and you have 2 different subnets behind the ASA

We would need alot more information and clarification on the situation before we can give any instructions.

- Jouni