We have Cisco ASA 5505 (OS version 8.2.1) using for Production Site and working fine w/o any problem. One of the Services Server on which the private IP is configured 192.168.18.104 and natted with public IP address 18.104.22.168 configured on ASA Firewall. There are few ports are opened for incoming traffic on outside interface for Services Server which seems to have working fine.
Now we need to estlablish IP Sec VPN Tunnel with Vendor for the Services Server and for that phase-1 negotiation has been completed but there is something new configuration required in which we need to allow the interesting traffic based on public rather than private which basically we do while creating VPN Tunnels between two sites. The tunnel is created between two sites and its active. Our Outside Peer IP Address is 22.214.171.124 and vendor IP Address is 126.96.36.199 and they are using Netsreen Firewall. Basically for allowing the traffic we use the private subnet/IP address and send their traffic over the tunnel like 192.168.18.104(Private IP)------188.8.131.52(Outside Interface IP of ASA)-----------encryted Tunnel---------184.108.40.206(Netscreen Peer IP). Now the problem is Vendor is using public IP (220.127.116.11) in their configuration for our services server instead of 192.168.18.104. But according to me we can allow the local subnet/IP in interesting traffic over the tunnel.
Can anyone help me if we can allow the public IP in our configuration as they are using Public IP address for their Services Server (18.104.22.168). I dont know what configuration needs to be done so that both server to be communicated with each other. The scenario we want i.e. 22.214.171.124 (Services Server Public IP)------126.96.36.199----------------------encryted----------------------188.8.131.52------------------184.108.40.206 (Vendor Services Server).
We have many similar examples in our business. We are establishing PUBLIC IP TO PUBLIC IP tunnels beetween systems, even though our servers have local ip address on their NIC. The main point is, NAT is performed before IPSEC. To use PUBLIC IP addreses for IPSEC tunnel,
1 - You should replace server local ip address 192.168.18.254 with server public ip address 220.127.116.11 on IPSEC ACCESS-LIST.
(access-list TUNNEL extended permit ip host 18.104.22.168 host 22.214.171.124)(figurative line)
2 - Define/keep ONE-TO-ONE address mapping for your SERVICES SERVER.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...