VPN site to site between ASA 5520 and checkpoint

Hi All

I have configured vpn site to site between asa 5520 and checkpoint  FW in another  country

Remote county details:

checkoint Gateway:                                     10.10.20.1
Encryption Domain(s):                  192.230.230.200
                                                 
 
 
                               VPN traffic direction ( from my cisco asa 5520 to other country checkpoint )

Source                                                                                     Destination                           Service
My cisco ASA external IP 62.62.10.1                                   192.230.230.200                   FTP
                                     
My local network is 192.168.1.x/24.
phase one is completed successfully, as per the check point admin, I need to create a NAT rule in my ASA 5520 that when my local network 192.168.0/24 connects to their FTP site  192.230.230.200  the address should be nated to my external interface  62.62.10.1 instead of showing the local network.


kindly advise what NAT to create
LVL 1
ITMaster1979Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Have you created site to site vpn tunnel between your cisco device to checkpoint firewall? if yes can you run this command on your ASA

#sh cry isa sa

If you have created site to site vpn between cisco to checkpoint, the destination ip address for the FTP service should be LAN network ip, not a internet ip address

while you create site to site vpn, local network is 192.168.1.x/24 and what is the network you provided on the remote network option on your ASA

Yes. you need to create a NO NAT rule to reach the destination server. i.e) from 192.168.1.x.24 to remote network(LAN), no need to do NAT on the ASA
ITMaster1979Author Commented:
Hi

  Yes the site to site is created and phase 1 is ok,

 when I run show crypto isakmp sa i get

IKE Peer: remotepeer
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

  I need my local network to reach the FTP from my external ASA and not from 192.168.1.0/24
ITMaster1979Author Commented:
sorry itts Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
//I need my local network to reach the FTP from my external ASA and not from 192.168.1.0/24//

In that case you no need to have site to site vpn.

From which system/workstation you are tying to to FTP and what will be the ip address of that system
ITMaster1979Author Commented:
Hi

from 192.168.1.10/24 pc.
 
In my ASA site to site wizard, i configured 192.168.1.0/24 ( my local network . the remote peer is rejecting my FTP traffice its coming from 192.168.1.10 not from my External ASA 62.62.10.1  . they need me to Nat any traffic from 192.168.1.0/24 to their FTP IP to come from External ASA.  

please advise
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@ITMaster1979  -- For your requirement you no need to have site-to-site vpn at all.

You need to configure NAT to fulfill your request.

If you are running ASA 8.2 version, then apply the below command on the ASA

static (inside,outside) tcp 192.168.1.10 21 62.62.10.1 21 netmask  255.255.255.255

Also, can you run the below command on your ASA

#sh run int
#sh run | i nat
#sh int ip brief
#sh ver
ITMaster1979Author Commented:
Thanks for your time and support

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 62.62.10.1 21  255.255.255.0

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.248.0



access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 192.230.230.200
nat (inside) 0 access-list inside_nat0_outbound



Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0        62.62.10.1 21  YES CONFIG up                    up
GigabitEthernet0/1       192.168.2.1   YES CONFIG up                    up


sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

ASGFirewall up 20 hours 46 mins
failover cluster up 1 year 55 days

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
 0: Ext: GigabitEthernet0/0  : address is c84c.7599.47ba, irq 9
 1: Ext: GigabitEthernet0/1  : address is c84c.7599.47bb, irq 9
 2: Ext: GigabitEthernet0/2  : address is c84c.7599.47bc, irq 9
 3: Ext: GigabitEthernet0/3  : address is c84c.7599.47bd, irq 9
 4: Ext: Management0/0       : address is c84c.7599.47be, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : 750
WebVPN Peers                 : 2
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions            : 2

This platform has an ASA 5520 VPN Plus license.


I  need the VPN as I got the preshared keys and details and phase 1 is ok,
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Fine.. apply the below command on the ASA

syntax:

static (inside,outside) tcp (lan ip address) 21 (wan ip address) 21 netmask  255.255.255.255

here is the exact command needs to apply on your ASA

config t

static (inside,outside) tcp 192.168.1.10 21 62.62.10.1 21 netmask  255.255.255.255
ITMaster1979Author Commented:
Hi

I did the command but still cant access the FTP site, do I need to remove any existing nat?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you paste the complete running configuration here to understand the ASA working method

Note:- remove all username/password/SNMP related config
ITMaster1979Author Commented:
ok please check
asa.txt
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Just copy and paste the below line, the FTP should work

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITMaster1979Author Commented:
Hi

Its already exist
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Is it possible to have a look into your ASA logs,   I am OK to have a live troubleshooting to resolve this .

EIther I can connect your system thru teamviewer or join.me to have a look into the ASA config
ITMaster1979Author Commented:
Thanks yes, how can  grant you, do you have email?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Yes.

You can email me the details to my id  projects@netexpert.com.sg
ITMaster1979Author Commented:
I did, samy replied
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@ITMaster1979  - Its nice to know that the issue is resolved :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.