VPN tunnel using public IP's

Unanswered Question
May 11th, 2008
User Badges:

I have a vendor that requires us to use public IP's across our VPN tunnel. I have two ranges of public IP's one that I can use for this tunnel and one that is used for our connection to the ISP.


I currently have an ASA setup with and interal network using 192.168.1.0/24 and an outside interface to the ISP.


When a user needs to get to the vendor website, they need to be NAT'd to a public IP and then diverted through the VPN tunnel.


I was going to assign the second IP range to a DMZ and then create the tunnel on the outside interface and use some tricky routing, but I haven't found a good way to do this. Does anyone have a good example of this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Sun, 05/11/2008 - 15:31
User Badges:
  • Green, 3000 points or more

Hi Michael,


You should be able to accomplish the request by creating a one-to-one nat with a public IP for the source that will access the vendor's website through the tunnel and define the source/destination in your crypto map access-list. The question would be if the vendor requires that any one behind your firewall get natted with a unique public IP before going through the tunnel that would be somewhat problematic when there is not to many public IPs available in your range.


On the other hand, if you are planing to create a pool of public ips for the tunnel it should be feasable by doing it through Policy NAT.


Rgds

-Jorge

bcon8ive32 Mon, 05/12/2008 - 10:54
User Badges:

Thanks for the reply.


I don't think this site will be used by many people, so a pool of five public IP's that I can use for this should work. Do I need to assign this range to an interface or can I just make a pool out of the public IP's and route them out the outside interface?


Thanks in advance.

JORGE RODRIGUEZ Mon, 05/12/2008 - 14:18
User Badges:
  • Green, 3000 points or more

Michale, if you want to go by pool for the ipsec tunnel to use public IPs instead of one to one nat you will create local nat and global nat statement, I have create something similar for you but it is by looking at some configurations examples but you will have to quote me on this one and revise it carefully as this script is something along those lines, you will not need to tell pix to route anything to outside as long you have a default route in firewall and that the tunnel is terminated in your outside interface, firewall will know where to send the traffic based on crypto map tunnel information you give as well as ACL for the IPsec tunnel.


Say the destination host server on the other side is 10.10.10.30, the tunnel peer is 20.20.20.10 your public IP pool is 40.40.40.1 to 40.40.40.5 and your inside LAN subnet is 192.168.1.0/24. and we use policy 10 for this tunnel.



create destination host in firewall to be on the outside interface


asdm location 10.10.10.30 255.255.255.255 outside


create in firewall peer tunnel IP address to be on the outside interface


asdm location 20.20.20.10 255.255.255.255 oustide


Define local nat and global nat statements


global(outside)2 40.40.40.1-40.40.40.5 netmask 255.255.255.0

nat(inside) 2 access-list NEW-L2LTUNNEL


Create Ipsec Phase 1

isakmp key cisco address 20.20.20.10 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 10 authen pre-share

isakmp policy 10 encrypt 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


Create tunnel Phase 2


crypto ipsec transform-set esp-3des esp-sha-hmac


crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set pfs group2

crypto map outside_map 10 set peer 20.20.20.10

crypto map outside_map 10 set transform-set

crypto map outside_map 10 set security-association lifetime seconds 28800 kilobytes 3600


Create access-list and crypto map acl


access-list NEW-L2LTUNNEL permit ip 192.168.1.0 255.255.255.0 host 10.10.10.30


access-list outside_cryptomap_10 permit ip 192.168.1.0 255.255.255.0 10.10.10.30

crypto map outside_map interface outside


Again you will have to quote me on this one as I have not tested it but it is along these lines.


You can get some good ideas on these links like the overlaping example is good to strip scripts off these and create one based on requirements.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml


HTH

Rgds

-Jorge



o.ilesanmi Thu, 05/15/2008 - 06:58
User Badges:

You can use the nat policy functionality

with static translation for the tunnel to your vendor. refer below


access-list xxx permit ip host

static (inside,outside) access-list xxx


This maps an internal client to the vendor's translated IP address. so you can have this done for each client.note that the internet traffic will still go through the regular translation policy


Actions

This Discussion