[Cisco ASA 5510] Can we use external IP as encryptoin domain in IPsec? How ?

Unanswered Question
Jun 18th, 2014
User Badges:

In a IPsec site to site VPN, can we use an external public IP as encryption domain. And will the traffic forwarded to that external public IP ?

Here is a diagram to explain the scenario better.

Host 10.x.x.70 does not have internet connectivity, it wants to connect to 54.x.x.168 via IPsec tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkarthikeyan Wed, 06/18/2014 - 22:36
User Badges:
  • Gold, 750 points or more

Hi Mohit,

 

Yes. You can achieve that using the NAT on your end VPN device. For that you need to create an access-list with Source as your LAN(Private) IP and have the actual destination as it is (54.x.x.168) in your scenario. You just have the NAT created for this access-list with some public IP.

 

You crypto-map ACL should have the NATed Public IP of your local LAN IP as source and destination is already a public zone. So no change is required. On the other end they have to create the crypto map to your public IP only.

 

If you do like that your scenario will work without any issue.

 

HTH

 

Regards

Karthik

mohitvicky Thu, 06/19/2014 - 01:01
User Badges:

Right now my crypto map acl source is 'any'. If i give specific IP, then ipsec phase doesn't get through.

 

Here is current conf:

access-list outside_cryptomap_2 extended permit ip any host 10.x.x.70

 

You are suggesting:

access-list name extended permit ip <LOCAL_IP> <net mast> host 54.x.x.168 

access-list outside_cryptomap_2 extended permit ip 54.x.x.168 host 10.x.x.70

Is this what you mean ?

 

nkarthikeyan Thu, 06/19/2014 - 01:57
User Badges:
  • Gold, 750 points or more

Hi Mohit,

You have to make changes @ both the ends if you have any rule....

Juniper Srx Side:

You have to NAT the 10.x.x.70 to a public IP using NAT. At the same time you have to make the required changes in crypto-map ACL of that or similar in Junos Platform. There Source is x.x.x.x (NAT IP of 10.x.x.x) & Destination would be 54.x.x.168.

On Cisco ASA side:

access-list outside_cryptomap_2 extended permit ip 54.x.x.168 host x.x.x.x ( NAT IP of 10.x.x.x)

 

So both the end crypto ACL negotiation will go through and communication heppens in the form of public IP to the Public IP..... That gives you the solution.

 

HTH

 

Regards

Karthik

 

Actions

This Discussion