Cisco ASA5520 Facing ISP with private IP address. How to route IPSec VPN accross the internet?

Unanswered Question
Mar 19th, 2010
User Badges:

Hello guys,


I have Cisco ASA5520 that is facing ISP with private IP address. We have no router and how to route IPSec VPN accross the internet?


Firewall config:

Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100


I have public IP block 199.9.9.1/28


How can I use the public IP address to create IPSec VPN tunnel between two sites accross the internet?

should I assign one public IP address on the Gig1 inside interface with security-level 100 and how to apply the inside to route on this interface?


If I configure >>firewall inside Gi1 interface ip address 199.9.9.1/28 with security-level 100. How do I make sure VPN traffic route through this interface accross the internet?


I am used to assigning public IP address to outside interface of the firewall and private IP address to inside interface.


Please help with configuration examples and advise.


Thanks,

Eric

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Eric Boadu Sat, 03/20/2010 - 12:24
User Badges:

Thank you so much Sean and I'm planing to putting router infront of the firewall and work with my ISP for possible performing 1to1 translation or pat dynamic nat.


Thanks,

Eric

paolo bevilacqua Sat, 03/20/2010 - 05:22
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Recommed you get a cisco rotuer with adsl so you can either use PPPoE on asa, or elimiante teh ASA and everything on the router.

Eric Boadu Sat, 03/20/2010 - 12:31
User Badges:

thank you P, I'm planing to add router and work with  my ISP for possible performing 1to1 translation or pat dynamic nat. Management Requirement I must use the firewall and eliminate router if possible.


Thanks,

Eric

paolo bevilacqua Mon, 03/22/2010 - 05:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Router do firewall too, show you management the cisco doc about it.

Eric Boadu Tue, 03/23/2010 - 17:23
User Badges:

Yes, I tried to add Router but it is not an option. So,  your advice on this config will be very appreciated


Hi, My ISP confirmed that the public IP address is resgister with the private.My only option is to use ASA firewall without a Router. ASA Firewall facing >>ISP with private IP address. How can I utilize the public IP address to initiate VPN site-to-site tunnel? I thought of using global PAT below. Can this config using interface Gi2 199.9.9.1 to initiate VPN tunnel with other office will work? Please advice with your best examples


CiscoASA#interface Gi0

CiscoASA#nameif outside

CiscoASA#address 10.0.1.2 255.255.255.255.0

CiscoASA#security-lvel 0p


CiscoASA#interface Gi1

CiscoASA#nameif inside

CiscoASA#192.168.1.1 255.255.255.0

CiscoASA#security-level 100

CiscoASA#igmp forward interface ouside


CiscoASA#interface Gi2

CiscoASA#nameif inside

CiscoASA#security-level 50

CiscoASA#ip address 199.9.9.1 255.255.255.0

CiscoASA#igmp forward interface ouside


CiscoASA#same-security-traffic permit intra-interface

CiscoASA#access-list outside in extended permit icmp any any

CiscoASA#access-list outside in extended permit tcp any any


CiscoASA#global (inside, outside) 1 199.9.9.2 netmask 255.255.0.0

CiscoASA#global (outside, inside) 1 10.0.1.2 255.255.255.0

CiscoASA#nat (inside) 1 0.0.0.0 0.0.0.0


Route outside 0.0.0.0 0.0.0.0 10.0.1.1 1


Thanks,

Eric


Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100


I have public IP block 199.9.9.1/28

Actions

This Discussion