Link to home
Start Free TrialLog in
Avatar of MrPrince
MrPrinceFlag for Canada

asked on

NAT incoming VPN connection to Firewalls outside interface

Hi,

I have a client whos recently purchased a Cisco 2811 to place in front of their ASA firewall to act as a perimeter router. Their Firewall terminates their VPN connection and now since the perimeter router is in place the firewalls Outside interface is no longer internet facing. How do I NAT through an IPSEC VPN connection to the firewall? They dont want to move the VPN termination to the 2811. Also to make matters worse they only have one statically assigned IP.

Ive done this before but simply NATd a whole IP address through since that client had plenty to spare&

Thanks.
Avatar of carlson777
carlson777
Are you saying that the one statically assigned IP address is now used by the router's outside interface to talk with the ISP?  Asking this because you said they only have one IP.
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Correct. Strange getting only one, but it's a case of their ISP issuing a static mapping through their DHCP servers. This is TELUS btw.
Avatar of carlson777
carlson777
I do not see how you can do this as the NATing on the router will change the hash and thus kill the IPSec tunnel.  I would tell your client that they need to get with their ISP and aquire a point to point that they currently have as well as a second small block that they can use to create IPSec tunnel.
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

So there's no way to foward IPSEC traffic to the external interface of the ASA? I did do this before a simple static NAT rule similar to:

ip nat inside source static [external PIX IP] [External routable IP]

What about something like:

ip nat inside source static tcp [external PIX IP] [IPSEC Protocol(s)] interface FastEthernet0 [IPSEC Protocol(s)]
Avatar of carlson777
carlson777
You could try, but the packet is being changed in the NAT process and this would change the hash and I believe that the IPSec devices will drop that packets response.
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Would that nat statement be right then? is the protocol IPSEC or would it someting else?
ASKER CERTIFIED SOLUTION
Avatar of pgolding00
pgolding00
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MrPrince
MrPrince
Flag of Canada image

ASKER

Thanks.