I have a vendor that requires us to use public IP's across our VPN tunnel. I have two ranges of public IP's one that I can use for this tunnel and one that is used for our connection to the ISP.
I currently have an ASA setup with and interal network using 192.168.1.0/24 and an outside interface to the ISP.
When a user needs to get to the vendor website, they need to be NAT'd to a public IP and then diverted through the VPN tunnel.
I was going to assign the second IP range to a DMZ and then create the tunnel on the outside interface and use some tricky routing, but I haven't found a good way to do this. Does anyone have a good example of this?
You should be able to accomplish the request by creating a one-to-one nat with a public IP for the source that will access the vendor's website through the tunnel and define the source/destination in your crypto map access-list. The question would be if the vendor requires that any one behind your firewall get natted with a unique public IP before going through the tunnel that would be somewhat problematic when there is not to many public IPs available in your range.
On the other hand, if you are planing to create a pool of public ips for the tunnel it should be feasable by doing it through Policy NAT.
I don't think this site will be used by many people, so a pool of five public IP's that I can use for this should work. Do I need to assign this range to an interface or can I just make a pool out of the public IP's and route them out the outside interface?
Michale, if you want to go by pool for the ipsec tunnel to use public IPs instead of one to one nat you will create local nat and global nat statement, I have create something similar for you but it is by looking at some configurations examples but you will have to quote me on this one and revise it carefully as this script is something along those lines, you will not need to tell pix to route anything to outside as long you have a default route in firewall and that the tunnel is terminated in your outside interface, firewall will know where to send the traffic based on crypto map tunnel information you give as well as ACL for the IPsec tunnel.
Say the destination host server on the other side is 10.10.10.30, the tunnel peer is 184.108.40.206 your public IP pool is 220.127.116.11 to 18.104.22.168 and your inside LAN subnet is 192.168.1.0/24. and we use policy 10 for this tunnel.
create destination host in firewall to be on the outside interface
asdm location 10.10.10.30 255.255.255.255 outside
create in firewall peer tunnel IP address to be on the outside interface
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...