Improve company productivity with a Business Account.Sign Up

x
?
Solved

Cisco ASA VPN Nat Problem

Posted on 2010-11-21
9
Medium Priority
?
898 Views
Last Modified: 2012-06-21
I have an ASA 5500 connected to the internet. I have a remote site with a cisco 877 connected to the ASA over a l2l VPN over the internet.

I want to make one of the hosts at the remote site available to the public internet so I assume I need to use a static NAT on the firewall.

I am a little confused about how to do this.

Essentially, the traffic will come in from the internet to the outside interface and then be natted, encrypted and sent back out the outside interface over the VPN to the host.

How do I do this as they are both on the outside interface?

static (outside,outside) public address internal adress?

0
Comment
Question by:question01
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 3

Expert Comment

by:caballo_oscuro
ID: 34186894
use an extnded access control list that prevents (deny) the exact network from gaining access to the 80 port of the router then permit the other network any any. Place the acccess control list on the appropriate port on the router.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34187412
Is your network topology like

internet -> cisco 877 --nat--> host

?

Why is VPN involved?

0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 2000 total points
ID: 34187972
yea that static should do the trick... but make sure u have the command 'same-security-traffic permit intra-interface' in place.

u can even do a nat:

nat (outside) 1 <internal ip> outside
global (outside) 1 interface  ---- (which i assume u will be having)

so that u pat the internal ip to the outside interface of the ASA saving the public ip u are using for the static nat.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34188927
Unless the whole traffic of the host at remote site that you want to make public, tunneled to ASA, including the internet traffic, what you want to do is not possible.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34189095
Also,  why would you want traffic to come into the ASA then sent back out the interface to the remote site?   Wouldn't it be easier just to have the traffic directed over there?  

Do you want traffic to come into the ASA then sent across VPN to the other site's host?  
0
 
LVL 1

Author Comment

by:question01
ID: 34192727
Good question MikeKane.

(Remote Site) cisco 877 -------------- Internet------------------ ASA

With a VPN betwen the 877 and the ASA.
At the moment all traffic from the remote site comes back to the main site (ASA) over the VPN before being sent back out the same interface to the internet. There are a few reasons for this, proxies etc...

I want a host (Video conferencing unit) on the remote site to be publically accessible from the internet. The only spare IP address space we have is on the network that connects to the ASA so I was planning on using one of these addresses as the public address for the host at the remote site.

 
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34192848
So remote site goes to intervet via ASA's internet connection. For a simple test, tell a user at remote site to enter www.whatismyip.com . If it is the same with the one that a user at HQ behind ASA sees at the same web address, then the outside,outside static should work.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34195302
internet -> (public IP)ASA -> NAT-dst -> routing lookup -> VPN Tunnel -> 877 -> Video Conf

like this?




 
0
 
LVL 1

Author Closing Comment

by:question01
ID: 34202524
tested solution and worked well.
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Considering cloud tradeoffs and determining the right mix for your organization.
This article is about building a site to site VPN tunnels in Cisco CSR1000V router with IOS XE. There are two Policy Based IPsec VPN tunnels configured on CSR1000V router one with NAT and another without NAT.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question