ASA IPSEC VPN BEHIND A ROUTER WITH INVALID IP ADDRESS

Answered Question
Aug 13th, 2010

Hy Guys,

i have a question.

I  need to build an IPSec VPN using the ASA-5500 firewall, but I only have one  ip-address invalid on my outside interface 192.168.x.y. This  interface is connected to the Ethernet router, the provider that make a  single default route to a valid address 200.140.x.y passing by the interface outside of the

ASA-5500.


How  can I publish this 200.140.xy valid address for access to my VPN  users?

The topology is  attached.

Please help me../.

Thanks a lot

Anderson

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello,

First of all, it is not Miss.. It is Mr.

For your question, from the configuration, your ISP is translating the

public IP to your ASA's inside IP. So, I don't see any issues over there.

One thing I noticed is your default gateway on the firewall pointing to .1

when the inside interface of ISP router is .4. To verify connectivity, try

the following:

on the firewall:

ssh 0.0.0.0 0.0.0.0 outside

crypto key generate rsa modulus 1024

Once above commands are entered, try to ssh to the public IP address. If you

are able to login to the ASA using the public IP, that means the public IP

is directly getting translated to ASA and you should not have any problem in

using that IP for VPN.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Sat, 08/14/2010 - 09:03

Hello,

It seems like your ISP is translating 200.140.x.y address to the outside

interface IP of the ASA. Can you ping 200.140.x.y address from internet?

(Make sure that you have enabled icmp on the outside interface "icmp permit

any outside"). If that is working, then you can use that IP for VPN

purposes.

Hope this helps.

Regards,

NT

anderson andrade Sat, 08/14/2010 - 09:34

Hy Miss Thanthry,

thanks for your answer...

i cannot ping the 200.212.x.y address from the internet.

The guy from the ISP make a NAT of 200.246.x.y to my outside interface of ASA.

In the ISP ROUTER

interface FastEthernet0/0
 description *** CONECT TO LAN ***
 ip address 192.168.254.4 255.255.255.248
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
 

interface Serial0/0/0
 bandwidth 2048
 ip address 200.245.K.K 255.255.255.252
 ip nat inside
 encapsulation ppp
 ip route-cache flow
 no fair-queue


ip forwa

rd-protocol nd
ip route 0.0.0.0 0.0.0.0 200.245.141.37
ip route 172.16.0.220 255.255.255.255 192.168.254.2
ip route 200.212.x.0 255.255.255.192 192.168.254.2
ip route 200.212.x.y 255.255.255.255 192.168.254.5

no ip http server
no ip http secure-server
ip nat inside source static 200.212.x.y 192.168.254.5 [only one ip address]

In the ASA

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.254.5 255.255.255.248

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.0.103 255.255.252.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.254.1 1

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit tcp any any

access-list 101 extended permit ip any any

But, cannot work the VPN...

Correct Answer
Nagaraja Thanthry Sat, 08/14/2010 - 10:18

Hello,

First of all, it is not Miss.. It is Mr.

For your question, from the configuration, your ISP is translating the

public IP to your ASA's inside IP. So, I don't see any issues over there.

One thing I noticed is your default gateway on the firewall pointing to .1

when the inside interface of ISP router is .4. To verify connectivity, try

the following:

on the firewall:

ssh 0.0.0.0 0.0.0.0 outside

crypto key generate rsa modulus 1024

Once above commands are entered, try to ssh to the public IP address. If you

are able to login to the ASA using the public IP, that means the public IP

is directly getting translated to ASA and you should not have any problem in

using that IP for VPN.

Hope this helps.

Regards,

NT

anderson andrade Mon, 08/16/2010 - 11:15

Thank you Mr. Thanthry

today morning i make all the tests and the envoirement works pretty good.

thank you a lot

att

Anderson Oliveira de Andrade

CCVP, CCNP, CCIEv wr exam.

Actions

This Discussion