VPN to ASA with a Private IP

Unanswered Question
Feb 17th, 2009
User Badges:

Hello All,


I have an ISP that has given me a bunch of public IP's but my gateway is a private address.(point to point to the ISP Router).


I have attached this line to an ASA 5510.


What I want to do is

1) have the ASA with a Private IP on the Outside interface Using 1 Public IP as a VPN Server.

2) 1 Public IP as a Web Server and

3) the 3rd Public IP for surfing from the Inside Interface.


I have tried so far to get my first aim to work without success. I can't even get the ASA 5510 to reply to pings to any of the Public IP Addresses from the Outside that I have configured.


Is this at all possible ?


I have already configured something similar with a ASA 5510 that has a Public IP on the Outside interface - this made the job easy.


Please help.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Fraser Reid Tue, 02/17/2009 - 12:16
User Badges:

This helps loads with the Ping but - can you also help with the Public - Private IP VPN bit too ?

eddie.mitchell@... Tue, 02/17/2009 - 12:21
User Badges:
  • Silver, 250 points or more

Once you've got the public IP assigned to the outside interface. Setting up the additional access should be pretty easy. All you need is a static statement and an ACL for inbound access to your webserver and you can use the outside interface of the firewall for outbound PAT.


This document should help:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Fraser Reid Tue, 02/17/2009 - 12:27
User Badges:

Thanks Eddie - I will try this and let you know again in the morning - I am working in Germany . getting late here :-)

Fraser Reid Wed, 02/18/2009 - 01:55
User Badges:

Sorry eddie - this didn't solve my main problem - everything else is gone now though.....here a little drawing with a few exaple IP's in it - maybe this makes more sense of what I am trying to do



Attachment: 
eddie.mitchell@... Wed, 02/18/2009 - 05:05
User Badges:
  • Silver, 250 points or more

So, you've got 12.12.12.1 assigned to the outside interface of your ASA?


Now all you need to do is configure a static and ACL to permit inbound access to your webserver:

static(inside,outside) 12.12.12.2 192.168.1.x netmask 255.255.255.255

access-list outside_in permit tcp any host 12.12.12.2 eq 80

access-group in interface outside


To allow outbound access from your internal clients (will use the outside IP address of the ASA for PAT) you need the following:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface



I won't go into configuring a remote access VPN here, but this document should guide you:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#cli





Fraser Reid Wed, 02/18/2009 - 08:12
User Badges:

Eddie,


Configured on the outside interface I have 10.250.250.5


So how do I assign the 12.12.12.1 to the same interface so that I can have the ASA accept IPSec connections to this IP ?


This is what I do not understand.

eddie.mitchell@... Wed, 02/18/2009 - 08:42
User Badges:
  • Silver, 250 points or more

I think you're only options here would be to set up a static NAT translation on your ISP router (12.12.12.1 -> 10.250.250.5)


(Not sure if this will work with VPN's though)


OR


Reconfigure the ASA to have 12.12.12.1 assigned to the outside interface.

Actions

This Discussion