cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
0
Helpful
6
Replies

IPSec design problem

amitbatra
Level 1
Level 1

hi Guys,

i have a client they wanna access a server at some bank. the server has Public ip. the server is secured by check point firewall. at my end i have Cisco ASA 5510. the requirement from bank is that clients at my end must use public IP. i have public ip on the outside interface.from the requirement it seems that i need to configure IPSec in transport mode. can anyone help me what need to be configured.

regards

6 Replies 6

nchandy
Cisco Employee
Cisco Employee

Hi

Pls clarify the below:

1) is the client a ipsec client?

2) If yes, where is it terminating the ipsec connection?

If not, wouldn't it be just be needed to have the correct static / acl's open on both the firewalls?

Thanks

hi,

well the client at my end is a windows machine. not running IPSec in any form. the termination end point for IPSec on my side is ASA.

regards

Hi

Thanks for the clarification. So the ipsec is between ASA and checkpoint, right?

In that case, There is no need of transport mode etc. You can define the interesting traffic in the access-list for the ipsec on the ASA to be the actual ip's (public ip).

Please do let me know if this is clear.

Thanks

palomoj
Level 1
Level 1

Sounds like you just need to policy NAT to a public IP (could be outside IP) before encrypting the traffic across the VPN. So, instead of non-NAT'ed interesting traffic, the interesting traffic would be the public NAT IP to their public IP. NAT and VPN interesting traffic config parts example (does not include all VPN config) below...

access-list VPN-TRAFFIC permit ip host 200.1.1.1 host 209.1.1.1

access-list NAT-ACL permit ip 192.168.1.0 255.255.255.0 host 209.1.1.1

static (inside,outside) 200.1.1.1 access-list NAT-ACL

hi everyone ,

first of all thanks a ton for giving me some time for ur busy schedules. well i tried this option also. what i did is static nat the private ip to the public ip. then make that as the intresting traffic for VPN. the creating the VPN tunnel . VPN tunnel comes up without issue. but i cannot ping the other end. which means there is still some issue. i tried both tunnel and transport mode.

let me know if i am missing something.

the problem is that this setup was running on ISA server. now client says that why cisco cannot do that.

regards

Hi

Tunnle is coming up fine, which would mean phase 1 and phase 2 ok, right? sh cry ipsec sa, do u see encrypts and decrypts? If only encrypts , then either the packet is not coming back or the packet is dropped at the ASA.

Do you see anything in the ASA logs?

I assume you have the sysopt connection permit-vpn command in the configuration.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: