Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
5
Helpful
4
Replies

VPN tunnel using public IP's

bcon8ive32
Level 1
Level 1

‎05-11-2008 10:20 AM - edited ‎03-11-2019 05:43 AM

I have a vendor that requires us to use public IP's across our VPN tunnel. I have two ranges of public IP's one that I can use for this tunnel and one that is used for our connection to the ISP.

I currently have an ASA setup with and interal network using 192.168.1.0/24 and an outside interface to the ISP.

When a user needs to get to the vendor website, they need to be NAT'd to a public IP and then diverted through the VPN tunnel.

I was going to assign the second IP range to a DMZ and then create the tunnel on the outside interface and use some tricky routing, but I haven't found a good way to do this. Does anyone have a good example of this?

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎05-11-2008 03:31 PM

Hi Michael,

You should be able to accomplish the request by creating a one-to-one nat with a public IP for the source that will access the vendor's website through the tunnel and define the source/destination in your crypto map access-list. The question would be if the vendor requires that any one behind your firewall get natted with a unique public IP before going through the tunnel that would be somewhat problematic when there is not to many public IPs available in your range.

On the other hand, if you are planing to create a pool of public ips for the tunnel it should be feasable by doing it through Policy NAT.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

bcon8ive32
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎05-12-2008 10:54 AM

Thanks for the reply.

I don't think this site will be used by many people, so a pool of five public IP's that I can use for this should work. Do I need to assign this range to an interface or can I just make a pool out of the public IP's and route them out the outside interface?

Thanks in advance.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to bcon8ive32

‎05-12-2008 02:18 PM

Michale, if you want to go by pool for the ipsec tunnel to use public IPs instead of one to one nat you will create local nat and global nat statement, I have create something similar for you but it is by looking at some configurations examples but you will have to quote me on this one and revise it carefully as this script is something along those lines, you will not need to tell pix to route anything to outside as long you have a default route in firewall and that the tunnel is terminated in your outside interface, firewall will know where to send the traffic based on crypto map tunnel information you give as well as ACL for the IPsec tunnel.

Say the destination host server on the other side is 10.10.10.30, the tunnel peer is 20.20.20.10 your public IP pool is 40.40.40.1 to 40.40.40.5 and your inside LAN subnet is 192.168.1.0/24. and we use policy 10 for this tunnel.

create destination host in firewall to be on the outside interface

asdm location 10.10.10.30 255.255.255.255 outside

create in firewall peer tunnel IP address to be on the outside interface

asdm location 20.20.20.10 255.255.255.255 oustide

Define local nat and global nat statements

global(outside)2 40.40.40.1-40.40.40.5 netmask 255.255.255.0

nat(inside) 2 access-list NEW-L2LTUNNEL

Create Ipsec Phase 1

isakmp key cisco address 20.20.20.10 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 10 authen pre-share

isakmp policy 10 encrypt 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Create tunnel Phase 2

crypto ipsec transform-set esp-3des esp-sha-hmac

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set pfs group2

crypto map outside_map 10 set peer 20.20.20.10

crypto map outside_map 10 set transform-set

crypto map outside_map 10 set security-association lifetime seconds 28800 kilobytes 3600

Create access-list and crypto map acl

access-list NEW-L2LTUNNEL permit ip 192.168.1.0 255.255.255.0 host 10.10.10.30

access-list outside_cryptomap_10 permit ip 192.168.1.0 255.255.255.0 10.10.10.30

crypto map outside_map interface outside

Again you will have to quote me on this one as I have not tested it but it is along these lines.

You can get some good ideas on these links like the overlaping example is good to strip scripts off these and create one based on requirements.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

HTH

Rgds

-Jorge

Jorge Rodriguez

o.ilesanmi
Level 1
Level 1

‎05-15-2008 06:58 AM

You can use the nat policy functionality

with static translation for the tunnel to your vendor. refer below

access-list xxx permit ip host

static (inside,outside) access-list xxx

This maps an internal client to the vendor's translated IP address. so you can have this done for each client.note that the internet traffic will still go through the regular translation policy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card