S2S VPN with public IP address as source address

Unanswered Question
Jul 11th, 2012

We have a vendor that we need to create a S2S VPN with and they are only allowing public IP addresses for the source address.  I assume this is because they don't want to deal with the potential overlap of private IP addresses from all of their clients.  I never have encounter this before, so I am not sure how to proceed and what public IP address to use. 

Should I create a static one to one nat for the device that needs to go across the VPN to an available public IP address? 

Should I use the global pat address that users are seen on the internet as?

I inherited this network from a previous engineer and there are two S2S VPN's on the ASA 5520 that have the global pat address as the source address.  My concern with this is that all internal traffic will be able to go across the S2S VPN.

TIA for any advice.

Dan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
rizwanr74 Wed, 07/11/2012 - 12:53

Hi Dan,

You can do this with policy-static nat.

What version of ASA you are running?

rizwanr74 Wed, 07/11/2012 - 13:19

If you have additional public IP address available on your internet pipe, you can create a policy static-nat to available

public-ip on your pipe (circuit), otherwise you can still use your existing public IP on your outside interface to policy-static nat.

Your tunnel end-points and the interesting traffic for vpn-tunnel will be your public address and remote public address.

I attached for you, Cisco documenation for creating poilicy static-nat, however it is for old version of ASA, however concept is remain the same, you need substitute version-7 static-nat to 8.6 version.

Hope that helps.

thanks

deyster94 Wed, 07/11/2012 - 13:21

Can I use the global pat IP address?  They aren't using the interface IP address for that address.

rizwanr74 Wed, 07/11/2012 - 13:27

"Can I use the global pat IP address?" Sure you can.

"They aren't using the interface IP address for that address."

It is their luxury or availablity as long as the given public IP is being routed to their circuit is do matters.

thanks

rizwanr74 Wed, 07/11/2012 - 14:36

When interesting traffic for VPN tunnel become public IP(es) there is no need for no-nat, normally otherwise you would need to no-nat.

Thanks

Rizwan Rafeek

Actions

Login or Register to take actions

This Discussion

Posted July 11, 2012 at 12:34 PM
Stats:
Replies:7 Avg. Rating:
Views:725 Votes:0
Shares:0

Related Content

Discussions Leaderboard