Solved

Cisco ASA VPN Nat Problem

Posted on 2010-11-21
9
892 Views
Last Modified: 2012-06-21
I have an ASA 5500 connected to the internet. I have a remote site with a cisco 877 connected to the ASA over a l2l VPN over the internet.

I want to make one of the hosts at the remote site available to the public internet so I assume I need to use a static NAT on the firewall.

I am a little confused about how to do this.

Essentially, the traffic will come in from the internet to the outside interface and then be natted, encrypted and sent back out the outside interface over the VPN to the host.

How do I do this as they are both on the outside interface?

static (outside,outside) public address internal adress?

0
Comment
Question by:question01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 3

Expert Comment

by:caballo_oscuro
ID: 34186894
use an extnded access control list that prevents (deny) the exact network from gaining access to the 80 port of the router then permit the other network any any. Place the acccess control list on the appropriate port on the router.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34187412
Is your network topology like

internet -> cisco 877 --nat--> host

?

Why is VPN involved?

0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 34187972
yea that static should do the trick... but make sure u have the command 'same-security-traffic permit intra-interface' in place.

u can even do a nat:

nat (outside) 1 <internal ip> outside
global (outside) 1 interface  ---- (which i assume u will be having)

so that u pat the internal ip to the outside interface of the ASA saving the public ip u are using for the static nat.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34188927
Unless the whole traffic of the host at remote site that you want to make public, tunneled to ASA, including the internet traffic, what you want to do is not possible.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34189095
Also,  why would you want traffic to come into the ASA then sent back out the interface to the remote site?   Wouldn't it be easier just to have the traffic directed over there?  

Do you want traffic to come into the ASA then sent across VPN to the other site's host?  
0
 
LVL 1

Author Comment

by:question01
ID: 34192727
Good question MikeKane.

(Remote Site) cisco 877 -------------- Internet------------------ ASA

With a VPN betwen the 877 and the ASA.
At the moment all traffic from the remote site comes back to the main site (ASA) over the VPN before being sent back out the same interface to the internet. There are a few reasons for this, proxies etc...

I want a host (Video conferencing unit) on the remote site to be publically accessible from the internet. The only spare IP address space we have is on the network that connects to the ASA so I was planning on using one of these addresses as the public address for the host at the remote site.

 
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34192848
So remote site goes to intervet via ASA's internet connection. For a simple test, tell a user at remote site to enter www.whatismyip.com . If it is the same with the one that a user at HQ behind ASA sees at the same web address, then the outside,outside static should work.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34195302
internet -> (public IP)ASA -> NAT-dst -> routing lookup -> VPN Tunnel -> 877 -> Video Conf

like this?




 
0
 
LVL 1

Author Closing Comment

by:question01
ID: 34202524
tested solution and worked well.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question