ASA5505 Special NAT and VPN configuration

Answered Question
May 11th, 2010
User Badges:

I have the following scenario:



  net inside [129.168.21.0 / 24] ---------- [ASA5505] ------------  net outside [10.120.2.88 / 30] -----  ISP network


  ASA5505 inside interface:     192.168.21.254

  ASA5505 outside interface:     10.120.2.90

  ASA5505 default gateway:     10.120.2.89


The public addresses offered by our ISP are [190.X.Y.88 / 29].

We don't have a router to connect the ISP ethernet port.

I configured some NATs:


global (outside) 1 190.X.Y.90 255.255.255.248

nat (inside) 1 192.168.21.0 255.255.255.0


with this commands we got Internet navigation to inside stations.


I configured a STATIC:


static (inside,outside) 190.X.Y.91 192.168.21.200 netmask 255.255.255.255


with this static and some access-list we got public services to Internet.


But we need to configure VPN Remote Access and L2L in the ASA5505.


How may I configure the interfaces, NAT or STATIC to get VPN access ?

Correct Answer by Federico Coto F... about 6 years 10 months ago

The only way to terminate the VPN to the ASA is either two ways:


1. Termine the tunnel on an IP directly assigned to an interface on the ASA.

2. Terminate the tunnel on an public IP that can be redirected to the IP of the ASA.


There's no way to terminate the tunnel on an IP that is not mapped somehow to the interface of the ASA.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
guigonza Tue, 05/11/2010 - 09:00
User Badges:

Thx ...  but the problem is not the VPN configuration.

The problem is the IP public address asigned to outside interface, if you see the schema, the outside interface is connected directly to Metro-ethernet ISP port with privade IP addresses ... and we are NATing the IP public address in Firewall without asigning them to any Firewall interfaces.


Any suggestion ... ?

Correct Answer
Federico Coto F... Tue, 05/11/2010 - 09:39
User Badges:
  • Green, 3000 points or more

The only way to terminate the VPN to the ASA is either two ways:


1. Termine the tunnel on an IP directly assigned to an interface on the ASA.

2. Terminate the tunnel on an public IP that can be redirected to the IP of the ASA.


There's no way to terminate the tunnel on an IP that is not mapped somehow to the interface of the ASA.


Federico.

Actions

This Discussion