I've got a new ASA 5510 and plan to use it to connect two separate internal LANs to the internet.
The ISP assigned us the following IPs:
BorderIP - 2xx.xx.xx.89
PublicIP1 - 2xx.xx.xx.19/28
PublicIP2 - 2xx.xx.xx.234/29
The two internal LANs are 192.168.100.0/24 and 10.10.100.0/24
At the moment, we have a Cisco1841 acting as the border router (IP 2xx.xx.xx.89), then a 3Com Firewall and an ASA5510 for the two internal LANS, 192.168.100.0/24 and 10.10.100.0/24, respectively.
We originally planned to replace the 3Com with a new ASA5510 but recently we've been having problems with the 1841. Now we're thinking of replacing the 1841 with the new ASA5510 and remove the 3COM and the other ASA5510. This means that a single ASA 5510 will connect the two LANs, 192.168.100.0/24 and 10.10.100.0/24, to the internet.
Now here are the questions:
1. On the outside interface the assigned IP is 2xx.xx.xx.89 (BorderIP) and two IPs from PublicIP1 and PublicIP2 ranges were added via proxy-arp. Using this interface configuration, can we NAT outbound traffic from 192.168.100.0/24 to 2xx.xx.xx.19 and 10.10.100.0/24 to 2xx.xx.xxx.234 so that when users from these networks browse the internet, their public IPs will be shown as coming from these IPs?
2. Can a "proxy-arp'ed" IP address be used as a VPN endpoint or peer address?
Thanks in advance for your help guys!
Your configuration looks good. There are few possibilities due to which this
is not working:
-- Your ISP is blocking all non-standard ports
-- You have statically mapped x.x.x.19 address to one of the server
-- The default gateway on other servers is not set to the firewall inside IP
Can you verify the above possibilities and make sure that they are
addressed. That should give us some idea on why it is not working.
Hope this helps.
That depends upon your requirement. If you do not want the traffic to get NAT'ed when going over the VPN tunnel, then you can configure NAT-0 rules.
access-list nonat permit ip 192.168.100.0 255.255.255.0
access-list nonat permit ip 10.x.x.0 255.255.255.0
nat (inside) 0 access-list nonat
This will ensure that traffic from internal subnets go unnatted to the VPN destinations while they follow the NAT rule when accessing internet. If you want the inside hosts to use their respective NAT addresses even when going over the VPN tunnel, then you do not need to do anything (except configure crypto access-lists accordingly).
Hope this helps.