IPSec design problem

Unanswered Question
Jul 14th, 2007
User Badges:

hi Guys,


i have a client they wanna access a server at some bank. the server has Public ip. the server is secured by check point firewall. at my end i have Cisco ASA 5510. the requirement from bank is that clients at my end must use public IP. i have public ip on the outside interface.from the requirement it seems that i need to configure IPSec in transport mode. can anyone help me what need to be configured.


regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nchandy Tue, 07/17/2007 - 06:21
User Badges:
  • Cisco Employee,

Hi


Pls clarify the below:

1) is the client a ipsec client?


2) If yes, where is it terminating the ipsec connection?


If not, wouldn't it be just be needed to have the correct static / acl's open on both the firewalls?


Thanks

amitbatra Tue, 07/17/2007 - 16:42
User Badges:

hi,


well the client at my end is a windows machine. not running IPSec in any form. the termination end point for IPSec on my side is ASA.


regards

nchandy Wed, 07/18/2007 - 06:24
User Badges:
  • Cisco Employee,

Hi


Thanks for the clarification. So the ipsec is between ASA and checkpoint, right?


In that case, There is no need of transport mode etc. You can define the interesting traffic in the access-list for the ipsec on the ASA to be the actual ip's (public ip).


Please do let me know if this is clear.


Thanks

Sounds like you just need to policy NAT to a public IP (could be outside IP) before encrypting the traffic across the VPN. So, instead of non-NAT'ed interesting traffic, the interesting traffic would be the public NAT IP to their public IP. NAT and VPN interesting traffic config parts example (does not include all VPN config) below...


access-list VPN-TRAFFIC permit ip host 200.1.1.1 host 209.1.1.1


access-list NAT-ACL permit ip 192.168.1.0 255.255.255.0 host 209.1.1.1


static (inside,outside) 200.1.1.1 access-list NAT-ACL





amitbatra Wed, 07/18/2007 - 14:00
User Badges:

hi everyone ,


first of all thanks a ton for giving me some time for ur busy schedules. well i tried this option also. what i did is static nat the private ip to the public ip. then make that as the intresting traffic for VPN. the creating the VPN tunnel . VPN tunnel comes up without issue. but i cannot ping the other end. which means there is still some issue. i tried both tunnel and transport mode.


let me know if i am missing something.

the problem is that this setup was running on ISA server. now client says that why cisco cannot do that.


regards


nchandy Thu, 07/19/2007 - 13:04
User Badges:
  • Cisco Employee,

Hi


Tunnle is coming up fine, which would mean phase 1 and phase 2 ok, right? sh cry ipsec sa, do u see encrypts and decrypts? If only encrypts , then either the packet is not coming back or the packet is dropped at the ASA.

Do you see anything in the ASA logs?

I assume you have the sysopt connection permit-vpn command in the configuration.


Thanks

Actions

This Discussion