Cisco ASA - create VPN tunnel using public IP address as the encryption domain

Posted on 2009-02-11
Last Modified: 2012-05-06
I have a Cisco ASA that's being used for a bunch of different site-site tunnels.

There is a new request to create a tunnel to a cisco router at a remote site. The restriction is that they require that a public IP address be used for the encryption domain. In all of the previous tunnels, internal subnet addresses were used for the encryption domain to allow access back and forth through the tunnel. In this case, it's just required to have a single address as the encryption domain, and once the tunnel's up, the communication will really only occur one-way (from us to them) with them granting access to the public IP that is our encryption domain.

I'm not 100% sure what the easiest or correct way to set this up is. I have a spare ASA, so it doesn't all have to happen on the one ASA if it necessary to NAT one behind the other or something. I also have available public IPs on my external subnet, so I don't have to use the same public IP that is assigned to the ASA itself.

Bottom line is that we want a site-site tunnel on an ASA where both the tunnel endpoint and the encryption domain are public IP addresses, and we will access remote systems across that tunnel using primarily ssh.

Any and all assistance is appreciated...thanks.
Question by:JammyPak
    LVL 9

    Accepted Solution

    What confuses most about using a public IP as the encrypted traffic is that its public and it really shouldnt. I´ts the same approach as using private just with public addresses to ensure uniqueness.

    Assuming that your real host behind your end of the tunnel is a private address do this.

    Setup a VPN tunnel as you normally would do just change the encryption IP, the normal private IP, to your public IP. Then use policy static NAT to change your host IP to the public when going to the remote end.
    LVL 16

    Author Closing Comment

    this is pretty much what we ended up doing. I was trying to figure out some way around it since I didn't have a lot of public IPs to play with. I ended up getting a new small block for this purpose. Sorry for the delayed response.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now