Cisco ASA VPN Nat Problem

I have an ASA 5500 connected to the internet. I have a remote site with a cisco 877 connected to the ASA over a l2l VPN over the internet.

I want to make one of the hosts at the remote site available to the public internet so I assume I need to use a static NAT on the firewall.

I am a little confused about how to do this.

Essentially, the traffic will come in from the internet to the outside interface and then be natted, encrypted and sent back out the outside interface over the VPN to the host.

How do I do this as they are both on the outside interface?

static (outside,outside) public address internal adress?

LVL 1
question01Asked:
Who is Participating?
 
ullas_unniCommented:
yea that static should do the trick... but make sure u have the command 'same-security-traffic permit intra-interface' in place.

u can even do a nat:

nat (outside) 1 <internal ip> outside
global (outside) 1 interface  ---- (which i assume u will be having)

so that u pat the internal ip to the outside interface of the ASA saving the public ip u are using for the static nat.
0
 
caballo_oscuroCommented:
use an extnded access control list that prevents (deny) the exact network from gaining access to the 80 port of the router then permit the other network any any. Place the acccess control list on the appropriate port on the router.
0
 
ksaikiCommented:
Is your network topology like

internet -> cisco 877 --nat--> host

?

Why is VPN involved?

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Alan Huseyin KayahanCommented:
Unless the whole traffic of the host at remote site that you want to make public, tunneled to ASA, including the internet traffic, what you want to do is not possible.
0
 
MikeKaneCommented:
Also,  why would you want traffic to come into the ASA then sent back out the interface to the remote site?   Wouldn't it be easier just to have the traffic directed over there?  

Do you want traffic to come into the ASA then sent across VPN to the other site's host?  
0
 
question01Author Commented:
Good question MikeKane.

(Remote Site) cisco 877 -------------- Internet------------------ ASA

With a VPN betwen the 877 and the ASA.
At the moment all traffic from the remote site comes back to the main site (ASA) over the VPN before being sent back out the same interface to the internet. There are a few reasons for this, proxies etc...

I want a host (Video conferencing unit) on the remote site to be publically accessible from the internet. The only spare IP address space we have is on the network that connects to the ASA so I was planning on using one of these addresses as the public address for the host at the remote site.

 
0
 
Alan Huseyin KayahanCommented:
So remote site goes to intervet via ASA's internet connection. For a simple test, tell a user at remote site to enter www.whatismyip.com . If it is the same with the one that a user at HQ behind ASA sees at the same web address, then the outside,outside static should work.
0
 
ksaikiCommented:
internet -> (public IP)ASA -> NAT-dst -> routing lookup -> VPN Tunnel -> 877 -> Video Conf

like this?




 
0
 
question01Author Commented:
tested solution and worked well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.