Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5505 Special NAT and VPN configuration

I have the following scenario:

  net inside [129.168.21.0 / 24] ---------- [ASA5505] ------------  net outside [10.120.2.88 / 30] -----  ISP network

  ASA5505 inside interface:     192.168.21.254

  ASA5505 outside interface:     10.120.2.90

  ASA5505 default gateway:     10.120.2.89

The public addresses offered by our ISP are [190.X.Y.88 / 29].

We don't have a router to connect the ISP ethernet port.

I configured some NATs:

global (outside) 1 190.X.Y.90 255.255.255.248

nat (inside) 1 192.168.21.0 255.255.255.0

with this commands we got Internet navigation to inside stations.

I configured a STATIC:

static (inside,outside) 190.X.Y.91 192.168.21.200 netmask 255.255.255.255

with this static and some access-list we got public services to Internet.

But we need to configure VPN Remote Access and L2L in the ASA5505.

How may I configure the interfaces, NAT or STATIC to get VPN access ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5505 Special NAT and VPN configuration

The only way to terminate the VPN to the ASA is either two ways:

1. Termine the tunnel on an IP directly assigned to an interface on the ASA.

2. Terminate the tunnel on an public IP that can be redirected to the IP of the ASA.

There's no way to terminate the tunnel on an IP that is not mapped somehow to the interface of the ASA.

Federico.

3 REPLIES

Re: ASA5505 Special NAT and VPN configuration

Hi,

You can find all the details about configuring VPN here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ike.html

Let us know if you have any questions.

Federico.

New Member

Re: ASA5505 Special NAT and VPN configuration

Thx ...  but the problem is not the VPN configuration.

The problem is the IP public address asigned to outside interface, if you see the schema, the outside interface is connected directly to Metro-ethernet ISP port with privade IP addresses ... and we are NATing the IP public address in Firewall without asigning them to any Firewall interfaces.

Any suggestion ... ?

Re: ASA5505 Special NAT and VPN configuration

The only way to terminate the VPN to the ASA is either two ways:

1. Termine the tunnel on an IP directly assigned to an interface on the ASA.

2. Terminate the tunnel on an public IP that can be redirected to the IP of the ASA.

There's no way to terminate the tunnel on an IP that is not mapped somehow to the interface of the ASA.

Federico.

420
Views
0
Helpful
3
Replies
CreatePlease to create content