• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5652
  • Last Modified:

Cisco ASA - create VPN tunnel using public IP address as the encryption domain

I have a Cisco ASA that's being used for a bunch of different site-site tunnels.

There is a new request to create a tunnel to a cisco router at a remote site. The restriction is that they require that a public IP address be used for the encryption domain. In all of the previous tunnels, internal subnet addresses were used for the encryption domain to allow access back and forth through the tunnel. In this case, it's just required to have a single address as the encryption domain, and once the tunnel's up, the communication will really only occur one-way (from us to them) with them granting access to the public IP that is our encryption domain.

I'm not 100% sure what the easiest or correct way to set this up is. I have a spare ASA, so it doesn't all have to happen on the one ASA if it necessary to NAT one behind the other or something. I also have available public IPs on my external subnet, so I don't have to use the same public IP that is assigned to the ASA itself.

Bottom line is that we want a site-site tunnel on an ASA where both the tunnel endpoint and the encryption domain are public IP addresses, and we will access remote systems across that tunnel using primarily ssh.

Any and all assistance is appreciated...thanks.
0
JammyPak
Asked:
JammyPak
1 Solution
 
DonbooCommented:
What confuses most about using a public IP as the encrypted traffic is that its public and it really shouldnt. I´ts the same approach as using private just with public addresses to ensure uniqueness.

Assuming that your real host behind your end of the tunnel is a private address do this.

Setup a VPN tunnel as you normally would do just change the encryption IP, the normal private IP, to your public IP. Then use policy static NAT to change your host IP to the public when going to the remote end.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/nat.htm#wp1042553
0
 
JammyPakAuthor Commented:
this is pretty much what we ended up doing. I was trying to figure out some way around it since I didn't have a lot of public IPs to play with. I ended up getting a new small block for this purpose. Sorry for the delayed response.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now