06-30-2011 06:19 AM
I need to establish a VPN to a vendor who will only allow public IP address across a VPN. I need to keep the public IP address out of my LAN for security policy reasons. I am using a ASA 5510 with 8.2(1) which is connected to the a DMZ port on my 3845 Router. My main firewall is configured on this 3845 router. The ASA firewall does have its own outside internet connection sepereate from the 3845 router/firewall.
This issues is to connect the vendor's server (a public IP address) to my internal server ( RCF-1918 IP address) without having to rout the public IP address across my LAN. My only solution now is to try a double NAT on the ASA and the router DMZ at this time.
Ideas?
Solved! Go to Solution.
06-30-2011 07:13 AM
OK, then you would need to configure static NAT.
Do you already have a static NAT configured for your internal server?
If not, then just create static NAT with ACL as follows:
access-list static-server permit ip host
static (inside,outside)
For the crypto ACL:
access-list crypto-acl permit ip host
06-30-2011 06:30 AM
Sorry, can you please share a topology diagram on how the ASA and the router is connected, as well as which device is terminating the VPN? and lastly how is your internal server connected?
06-30-2011 06:35 AM
The inside interface of the ASA firewall is connected to a DMZ port on the 3845 router/firewall. The VPN will terminate on the ASA firewall. My internal server is at a remote location and connected to the 3845 router/firewall via a internal MPLS to that remote location.
In addition, the vendor will not allow the RFC-1918 IP address for my server to route across the VPN. They only except public IP addresses for routing to their server.
06-30-2011 06:40 AM
Yes, you can configure the NAT on the ASA. Crypto ACL then needs to match the NATed address.
How many of your internal host needs to access the vendor server? Also, does the vendor server need to access your internal server?
You can configure NAT for your internal host when the destination subnet is your vendor server.
06-30-2011 07:08 AM
only one of my servers need to access the vendor server and the same vendor server needs to access my server.
06-30-2011 07:13 AM
OK, then you would need to configure static NAT.
Do you already have a static NAT configured for your internal server?
If not, then just create static NAT with ACL as follows:
access-list static-server permit ip host
static (inside,outside)
For the crypto ACL:
access-list crypto-acl permit ip host
06-30-2011 07:33 AM
So we NAT the public IP from the vendor to a private address on our network and route to our server.
Then we NAT our server IP to a public IP routed back to the vendor server.
06-30-2011 03:36 PM
Yes, absolutely correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide