VPN to ASA with a Private IP

Unanswered Question
Feb 17th, 2009
User Badges:

Hello All,

I have an ISP that has given me a bunch of public IP's but my gateway is a private address.(point to point to the ISP Router).

I have attached this line to an ASA 5510.

What I want to do is

1) have the ASA with a Private IP on the Outside interface Using 1 Public IP as a VPN Server.

2) 1 Public IP as a Web Server and

3) the 3rd Public IP for surfing from the Inside Interface.

I have tried so far to get my first aim to work without success. I can't even get the ASA 5510 to reply to pings to any of the Public IP Addresses from the Outside that I have configured.

Is this at all possible ?

I have already configured something similar with a ASA 5510 that has a Public IP on the Outside interface - this made the job easy.

Please help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Fraser Reid Tue, 02/17/2009 - 12:16
User Badges:

This helps loads with the Ping but - can you also help with the Public - Private IP VPN bit too ?

eddie.mitchell@... Tue, 02/17/2009 - 12:21
User Badges:
  • Silver, 250 points or more

Once you've got the public IP assigned to the outside interface. Setting up the additional access should be pretty easy. All you need is a static statement and an ACL for inbound access to your webserver and you can use the outside interface of the firewall for outbound PAT.

This document should help:


Fraser Reid Tue, 02/17/2009 - 12:27
User Badges:

Thanks Eddie - I will try this and let you know again in the morning - I am working in Germany . getting late here :-)

Fraser Reid Wed, 02/18/2009 - 01:55
User Badges:

Sorry eddie - this didn't solve my main problem - everything else is gone now though.....here a little drawing with a few exaple IP's in it - maybe this makes more sense of what I am trying to do

eddie.mitchell@... Wed, 02/18/2009 - 05:05
User Badges:
  • Silver, 250 points or more

So, you've got assigned to the outside interface of your ASA?

Now all you need to do is configure a static and ACL to permit inbound access to your webserver:

static(inside,outside) 192.168.1.x netmask

access-list outside_in permit tcp any host eq 80

access-group in interface outside

To allow outbound access from your internal clients (will use the outside IP address of the ASA for PAT) you need the following:

nat (inside) 1

global (outside) 1 interface

I won't go into configuring a remote access VPN here, but this document should guide you:


Fraser Reid Wed, 02/18/2009 - 08:12
User Badges:


Configured on the outside interface I have

So how do I assign the to the same interface so that I can have the ASA accept IPSec connections to this IP ?

This is what I do not understand.

eddie.mitchell@... Wed, 02/18/2009 - 08:42
User Badges:
  • Silver, 250 points or more

I think you're only options here would be to set up a static NAT translation on your ISP router ( ->

(Not sure if this will work with VPN's though)


Reconfigure the ASA to have assigned to the outside interface.


This Discussion