Cisco ASA5520 Facing ISP with private IP address. How to route IPSec VPN accross the internet?

Answered Question
Mar 20th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello guys,

I have Cisco ASA5520 that is facing ISP with private IP address. We have no router and how to route IPSec VPN accross the internet?

The issue is outside interface pointing to ISP is private IP address and inside as well.

Firewall config:

Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100

I have public IP block 199.9.9.1/28

How can I use the public IP address to create IPSec VPN tunnel between two sites accross the internet?

should I assign one public IP address on the Gig1 inside interface with security-level 100 and how to apply the inside to route on this interface?

If I configure >>firewall inside Gi1 interface ip address 199.9.9.1/28 with security-level 100. How do I make sure VPN traffic route through this interface accross the internet?

I am used to assigning public IP address to outside interface of the firewall and private IP address to inside interface.

Please help with configuration examples and advise.

Thanks,

Eric

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 8 months ago

Unfortunately you can only terminate VPN connection on the interface where the VPN connection is coming from, in your case the outside interface.

3 options:

1) Connect a router in front of the ASA, and assign your public ip address to the ASA outside interface.

OR/

2) If your ISP can perform static 1 to 1 translation, then you can still terminate the VPN on the outside interface, and ask your ISP what is the static ip address assigned for your ASA outside ip address (10.0.1.2) - this allows you to initiate the VPN bidirectionally

OR/

3) If your ISP performs PAT (dynamic NAT), then you can only initiate the VPN tunnel from ASA side, and the other end of the tunnel needs to be configured to allow dynamic LAN-to-LAN VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Sat, 03/20/2010 - 05:21

Unfortunately you can only terminate VPN connection on the interface where the VPN connection is coming from, in your case the outside interface.

3 options:

1) Connect a router in front of the ASA, and assign your public ip address to the ASA outside interface.

OR/

2) If your ISP can perform static 1 to 1 translation, then you can still terminate the VPN on the outside interface, and ask your ISP what is the static ip address assigned for your ASA outside ip address (10.0.1.2) - this allows you to initiate the VPN bidirectionally

OR/

3) If your ISP performs PAT (dynamic NAT), then you can only initiate the VPN tunnel from ASA side, and the other end of the tunnel needs to be configured to allow dynamic LAN-to-LAN VPN.

Eric Boadu Sat, 03/20/2010 - 12:11

Halijenn,

Thank you so much for your confirmation and I will communicate with my ISP for possibly resolving this issue. Currently the two sites are exchanging traffic through host-to-host nat translation via the internet. We wanted a through VPN where traffic can flow bidirectional.

Thanks,

Eric

Eric Boadu Tue, 03/23/2010 - 13:31

Hi, My ISP confirmed that the public IP address is resgister with the private.My only option is to use ASA firewall without a Router. ASA Firewall facing >>ISP with private IP address. How can I utilize the public IP address to initiate VPN site-to-site tunnel? I thought of using global PAT below. Can this config and using 199.9.9.1 to initiate VPN tunnel with other office will work? Please advice with your best examples

CiscoASA#interface Gi0

CiscoASA#nameif outside

CiscoASA#address 10.0.1.2 255.255.255.255.0

CiscoASA#security-lvel 0p

CiscoASA#interface Gi1

CiscoASA#nameif inside

CiscoASA#192.168.1.1 255.255.255.0

CiscoASA#security-level 100

CiscoASA#igmp forward interface ouside

CiscoASA#interface Gi2

CiscoASA#nameif inside

CiscoASA#security-level 50

CiscoASA#ip address 199.9.9.1 255.255.255.0

CiscoASA#igmp forward interface ouside

CiscoASA#same-security-traffic permit intra-interface

CiscoASA#access-list outside in extended permit icmp any any

CiscoASA#access-list outside in extended permit tcp any any

CiscoASA#global (inside, outside) 1 199.9.9.2 netmask 255.255.0.0

CiscoASA#global (outside, inside) 1 10.0.1.2 255.255.255.0

CiscoASA#nat (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 10.0.1.1 1

Thanks,

Eric

Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100

I have public IP block 199.9.9.1/28

Jennifer Halim Tue, 03/23/2010 - 20:47

Hi Eric,

Unfortunately you can use any other ip address than the interface that terminate the VPN tunnel, and in your case it will be your outside ip address.

Please also be advised that there is no "global (inside,outside)" command. On ASA, dynamic NAT/PAT would be the nat and global pair configuration, and for static translation, it would be the static (inside,outside) configuration.

The only option would be for your ISP to configure a static translation for your ASA outside ip address (10.0.1.2) to your public ip address. Please make sure that it is a static translation instead of dynamic translation so you can initate the VPN tunnel from both ends.

Once the translation has been setup on your ISP router, the remote site, or vpn client ipsec configuration will peer to your ASA with that public ip address that has been setup on your ISP router.

For example:

On your ISP router, you would configure static translation for ASA outside ip address of 10.0.1.2 to public ip address of 199.9.9.2.

For all the VPN peers to establish the tunnel, they would need to specify the public ip address of 199.9.9.2.

Important thing to remember is to have static translation, instead of dynamic translation.

Hope that helps.

Actions

This Discussion