IP Sec Tunnel Issue

Unanswered Question
Jan 3rd, 2010

Hello Experts,

We have Cisco ASA 5505 (OS version 8.2.1) using for Production Site and working fine w/o any problem. One of the Services Server on which the private IP is configured 192.168.18.104 and natted with public IP address 1.1.1.10 configured on ASA Firewall. There are few ports are opened for incoming traffic on outside interface for Services Server which seems to have working fine.

Now we need to estlablish IP Sec VPN Tunnel with Vendor for the Services Server and for that phase-1 negotiation has been completed but there is something new configuration required in which we need to allow the interesting traffic based on public rather than private which basically we do while creating VPN Tunnels between two sites. The tunnel is created between two sites and its active. Our Outside Peer IP Address is 1.1.1.1 and vendor IP Address is 2.2.2.1 and they are using Netsreen Firewall. Basically for allowing the traffic we use the private subnet/IP address and send their traffic over the tunnel like 192.168.18.104(Private IP)------1.1.1.1(Outside Interface IP of ASA)-----------encryted Tunnel---------2.2.2.1(Netscreen Peer IP). Now the problem is Vendor is using public IP (1.1.1.10) in their configuration for our services server instead of 192.168.18.104. But according to me we can allow the local subnet/IP in interesting traffic over the tunnel.

Can anyone help me if we can allow the public IP in our configuration as they are using Public IP address for their Services Server (2.2.2.10). I dont know what configuration needs to be done so that both server to be communicated with each other. The scenario we want i.e. 1.1.1.10 (Services Server Public IP)------1.1.1.1----------------------encryted----------------------2.2.2.1------------------2.2.2.10 (Vendor Services Server).

Regards,

Vinay Gupta

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ufuk guler Sun, 01/03/2010 - 13:27

Hello Vinay,

          We have many similar examples in our business. We are establishing PUBLIC IP TO PUBLIC IP tunnels beetween systems, even though our servers have local ip address on their NIC. The main point is, NAT is performed before IPSEC. To use PUBLIC IP addreses for IPSEC tunnel,

1 - You should replace server local ip address 192.168.18.254 with server public ip address 1.1.1.10 on IPSEC ACCESS-LIST.

(access-list TUNNEL extended permit ip host 1.1.1.10 host 2.2.2.10)(figurative line)

2 - Define/keep ONE-TO-ONE address mapping for your SERVICES SERVER.

(static (inside,outside) 1.1.1.10 192.168.18.254 255.255.255.255 (figurative line)

3 - Opposite ACLs must be created on VENDOR site.

4 - Remove NAT exemption rule for local to local IPSEC tunnel.

After this steps from VENDOR site, they can use your SERVICES SERVER public ip to connect it.

Best Regards,

Ufuk Guler

Actions

This Discussion