Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
1
Replies

Site to site VPN and Static Pat

EE2002SSS
Level 1
Level 1

‎11-18-2012 10:33 PM

My company has task me with connection two ASA 8.4 with public ip address to VPN into one another sites.

My question is I need to connect and configure two static public imp addresses to one another and test the connection between both Asia’s running 8.4.

I have been told that I need twice Nat the two ips to accomplish this task?

In addition, I need to configure a static Pat to allow ip public address to ports 80 and 443 for email only.

My ips are 192.168.100.5 to 192.168.100.6. they need to be static only.

Right know I'm am trying to test the configurations on our one ASA 5510 in the lab and an Extreme Network switch, before running them on our live network so far I have?

On the AS A, I configure the network object as follows:

Ethernet 0/1

nameif Test

ip address 192.168.100.5/30

no shut

network object obj-inmapped-192.168.100.5
host 192.168.100.5

object network obj-outmapped-192.168.100.200
host 192.168.100.6

Nat (inside, outside) source static obj-outmapped-192.168.100.6 destination static obj-inmapped-192.168.100.5

The Static PAT Configure

object network obj_Test01_Pat-80

host 192.168.5.129

nat (inside, outside) static interface service tcp 80 80

object network obj_Test01_Pat-443

host 192.168.5.129

nat (inside, outside) static interface service tcp 443 443

Will this work in my test bed, or do I need to add more commands statements to complete this task?

This is my first time working with ASA’s, this is a new job for me, and this could be change to prove myself to my boss.

I would be very grateful for any help.

Thanks newbie.

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎11-30-2012 04:54 AM

Hi,

Cisco ASA (and the older PIX firewall) arent really the most user friendly devices to start out cold with. To even test the L2L VPN portion you would already need 2 ASAs or another VPN device to configure the L2L VPN

To my understanding you want to do following things

  • Connect 2 different sites with L2L VPN (Lan to Lan VPN)
  • Also configure Port forwarding for some Web services on your local ASA

First of all for L2L VPN configurations you will need to decide or find out the following things (Unless there is already some existing L2L VPN?)

  • VPN device public IP address for both device
  • Local Networks on both site which you want to use the L2L VPN
  • L2L VPN Phase1 and Phase2 parameters
  • etc

The configurations you mention above seem to be kinda strange.

Im not sure what you are trying to accomplish with the first one. Also the object names dont match with the actual NAT commands used object names

The Port Forward configurations seem ok configuration format wise, but I'm not sure what the source IP addresses used in the configurations are (192.168.5.x) since in the previous one they are totally different. Naturally I might just be mistaken and you have 2 different subnets behind the ASA

We would need alot more information and clarification on the situation before we can give any instructions.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents