Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
7
Replies

VPN to Vendor who only allows public IP addresses

Go to solution
jjames1905
Level 1
Level 1

‎06-30-2011 06:19 AM

I need to establish a VPN to a vendor who will only allow public IP address across a VPN.  I need to keep the public IP address out of my LAN for security policy reasons.  I am using a ASA 5510 with 8.2(1) which is connected to the a DMZ port on my 3845 Router.  My main firewall is configured on this 3845 router.  The ASA firewall does have its own outside internet connection sepereate from the 3845 router/firewall.

This issues is to connect the vendor's server (a public IP address) to my internal server ( RCF-1918 IP address) without having to rout the public IP address across my LAN. My only solution now is to try a double NAT on the ASA and the  router DMZ at this time.

Ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jjames1905

‎06-30-2011 07:13 AM

OK, then you would need to configure static NAT.

Do you already have a static NAT configured for your internal server?

If not, then just create static NAT with ACL as follows:

access-list static-server permit ip host host

static (inside,outside) access-list static-server

For the crypto ACL:

access-list crypto-acl permit ip host host

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2011 06:30 AM

Sorry, can you please share a topology diagram on how the ASA and the router is connected, as well as which device is terminating the VPN? and lastly how is your internal server connected?

0 Helpful

Go to solution
jjames1905
Level 1
Level 1
In response to Jennifer Halim

‎06-30-2011 06:35 AM

The inside interface of the ASA firewall is connected to a DMZ port on the 3845 router/firewall. The VPN will terminate on the ASA firewall.  My internal server is at a remote location and connected to the 3845 router/firewall via a internal MPLS to that remote location.

In addition, the vendor will not allow the RFC-1918 IP address for my server to route across the VPN.  They only except public IP addresses for routing to their server.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jjames1905

‎06-30-2011 06:40 AM

Yes, you can configure the NAT on the ASA. Crypto ACL then needs to match the NATed address.

How many of your internal host needs to access the vendor server? Also, does the vendor server need to access your internal server?

You can configure NAT for your internal host when the destination subnet is your vendor server.

0 Helpful

Go to solution
jjames1905
Level 1
Level 1
In response to Jennifer Halim

‎06-30-2011 07:08 AM

only one of my servers need to access the vendor server and the same vendor server needs to access my server.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jjames1905

‎06-30-2011 07:13 AM

OK, then you would need to configure static NAT.

Do you already have a static NAT configured for your internal server?

If not, then just create static NAT with ACL as follows:

access-list static-server permit ip host host

static (inside,outside) access-list static-server

For the crypto ACL:

access-list crypto-acl permit ip host host

0 Helpful

Go to solution
jjames1905
Level 1
Level 1
In response to Jennifer Halim

‎06-30-2011 07:33 AM

So we NAT the public IP from the vendor to a private address on our network and route to our server.

Then we NAT our server IP to a public IP routed back to the vendor server.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jjames1905

‎06-30-2011 03:36 PM

Yes, absolutely correct.

0 Helpful
Customers Also Viewed These Support Documents