Cisco ASA - create VPN tunnel using public IP address as the encryption domain
Posted on 2009-02-11
I have a Cisco ASA that's being used for a bunch of different site-site tunnels.
There is a new request to create a tunnel to a cisco router at a remote site. The restriction is that they require that a public IP address be used for the encryption domain. In all of the previous tunnels, internal subnet addresses were used for the encryption domain to allow access back and forth through the tunnel. In this case, it's just required to have a single address as the encryption domain, and once the tunnel's up, the communication will really only occur one-way (from us to them) with them granting access to the public IP that is our encryption domain.
I'm not 100% sure what the easiest or correct way to set this up is. I have a spare ASA, so it doesn't all have to happen on the one ASA if it necessary to NAT one behind the other or something. I also have available public IPs on my external subnet, so I don't have to use the same public IP that is assigned to the ASA itself.
Bottom line is that we want a site-site tunnel on an ASA where both the tunnel endpoint and the encryption domain are public IP addresses, and we will access remote systems across that tunnel using primarily ssh.
Any and all assistance is appreciated...thanks.