Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA VPN Nat Problem

Posted on 2010-11-21
9
Medium Priority
?
895 Views
Last Modified: 2012-06-21
I have an ASA 5500 connected to the internet. I have a remote site with a cisco 877 connected to the ASA over a l2l VPN over the internet.

I want to make one of the hosts at the remote site available to the public internet so I assume I need to use a static NAT on the firewall.

I am a little confused about how to do this.

Essentially, the traffic will come in from the internet to the outside interface and then be natted, encrypted and sent back out the outside interface over the VPN to the host.

How do I do this as they are both on the outside interface?

static (outside,outside) public address internal adress?

0
Comment
Question by:question01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 3

Expert Comment

by:caballo_oscuro
ID: 34186894
use an extnded access control list that prevents (deny) the exact network from gaining access to the 80 port of the router then permit the other network any any. Place the acccess control list on the appropriate port on the router.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34187412
Is your network topology like

internet -> cisco 877 --nat--> host

?

Why is VPN involved?

0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 2000 total points
ID: 34187972
yea that static should do the trick... but make sure u have the command 'same-security-traffic permit intra-interface' in place.

u can even do a nat:

nat (outside) 1 <internal ip> outside
global (outside) 1 interface  ---- (which i assume u will be having)

so that u pat the internal ip to the outside interface of the ASA saving the public ip u are using for the static nat.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34188927
Unless the whole traffic of the host at remote site that you want to make public, tunneled to ASA, including the internet traffic, what you want to do is not possible.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34189095
Also,  why would you want traffic to come into the ASA then sent back out the interface to the remote site?   Wouldn't it be easier just to have the traffic directed over there?  

Do you want traffic to come into the ASA then sent across VPN to the other site's host?  
0
 
LVL 1

Author Comment

by:question01
ID: 34192727
Good question MikeKane.

(Remote Site) cisco 877 -------------- Internet------------------ ASA

With a VPN betwen the 877 and the ASA.
At the moment all traffic from the remote site comes back to the main site (ASA) over the VPN before being sent back out the same interface to the internet. There are a few reasons for this, proxies etc...

I want a host (Video conferencing unit) on the remote site to be publically accessible from the internet. The only spare IP address space we have is on the network that connects to the ASA so I was planning on using one of these addresses as the public address for the host at the remote site.

 
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 34192848
So remote site goes to intervet via ASA's internet connection. For a simple test, tell a user at remote site to enter www.whatismyip.com . If it is the same with the one that a user at HQ behind ASA sees at the same web address, then the outside,outside static should work.
0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34195302
internet -> (public IP)ASA -> NAT-dst -> routing lookup -> VPN Tunnel -> 877 -> Video Conf

like this?




 
0
 
LVL 1

Author Closing Comment

by:question01
ID: 34202524
tested solution and worked well.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question