Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA VPN Nat Problem

Posted on 2010-11-21
9
887 Views
Last Modified: 2012-06-21
I have an ASA 5500 connected to the internet. I have a remote site with a cisco 877 connected to the ASA over a l2l VPN over the internet.

I want to make one of the hosts at the remote site available to the public internet so I assume I need to use a static NAT on the firewall.

I am a little confused about how to do this.

Essentially, the traffic will come in from the internet to the outside interface and then be natted, encrypted and sent back out the outside interface over the VPN to the host.

How do I do this as they are both on the outside interface?

static (outside,outside) public address internal adress?

0
Comment
Question by:question01
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 3

Expert Comment

by:caballo_oscuro
ID: 34186894
use an extnded access control list that prevents (deny) the exact network from gaining access to the 80 port of the router then permit the other network any any. Place the acccess control list on the appropriate port on the router.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34187412
Is your network topology like

internet -> cisco 877 --nat--> host

?

Why is VPN involved?

0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 34187972
yea that static should do the trick... but make sure u have the command 'same-security-traffic permit intra-interface' in place.

u can even do a nat:

nat (outside) 1 <internal ip> outside
global (outside) 1 interface  ---- (which i assume u will be having)

so that u pat the internal ip to the outside interface of the ASA saving the public ip u are using for the static nat.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34188927
Unless the whole traffic of the host at remote site that you want to make public, tunneled to ASA, including the internet traffic, what you want to do is not possible.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34189095
Also,  why would you want traffic to come into the ASA then sent back out the interface to the remote site?   Wouldn't it be easier just to have the traffic directed over there?  

Do you want traffic to come into the ASA then sent across VPN to the other site's host?  
0
 
LVL 1

Author Comment

by:question01
ID: 34192727
Good question MikeKane.

(Remote Site) cisco 877 -------------- Internet------------------ ASA

With a VPN betwen the 877 and the ASA.
At the moment all traffic from the remote site comes back to the main site (ASA) over the VPN before being sent back out the same interface to the internet. There are a few reasons for this, proxies etc...

I want a host (Video conferencing unit) on the remote site to be publically accessible from the internet. The only spare IP address space we have is on the network that connects to the ASA so I was planning on using one of these addresses as the public address for the host at the remote site.

 
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34192848
So remote site goes to intervet via ASA's internet connection. For a simple test, tell a user at remote site to enter www.whatismyip.com . If it is the same with the one that a user at HQ behind ASA sees at the same web address, then the outside,outside static should work.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34195302
internet -> (public IP)ASA -> NAT-dst -> routing lookup -> VPN Tunnel -> 877 -> Video Conf

like this?




 
0
 
LVL 1

Author Closing Comment

by:question01
ID: 34202524
tested solution and worked well.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 78
SSIS with VPN COnnection 2 100
Use packet tracer to verify anyconnect VPN 11 59
not able to to ping server on a switch 1 33
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question