Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN tunnel using public IP's

I have a vendor that requires us to use public IP's across our VPN tunnel. I have two ranges of public IP's one that I can use for this tunnel and one that is used for our connection to the ISP.

I currently have an ASA setup with and interal network using and an outside interface to the ISP.

When a user needs to get to the vendor website, they need to be NAT'd to a public IP and then diverted through the VPN tunnel.

I was going to assign the second IP range to a DMZ and then create the tunnel on the outside interface and use some tricky routing, but I haven't found a good way to do this. Does anyone have a good example of this?


Re: VPN tunnel using public IP's

Hi Michael,

You should be able to accomplish the request by creating a one-to-one nat with a public IP for the source that will access the vendor's website through the tunnel and define the source/destination in your crypto map access-list. The question would be if the vendor requires that any one behind your firewall get natted with a unique public IP before going through the tunnel that would be somewhat problematic when there is not to many public IPs available in your range.

On the other hand, if you are planing to create a pool of public ips for the tunnel it should be feasable by doing it through Policy NAT.



Community Member

Re: VPN tunnel using public IP's

Thanks for the reply.

I don't think this site will be used by many people, so a pool of five public IP's that I can use for this should work. Do I need to assign this range to an interface or can I just make a pool out of the public IP's and route them out the outside interface?

Thanks in advance.

Re: VPN tunnel using public IP's

Michale, if you want to go by pool for the ipsec tunnel to use public IPs instead of one to one nat you will create local nat and global nat statement, I have create something similar for you but it is by looking at some configurations examples but you will have to quote me on this one and revise it carefully as this script is something along those lines, you will not need to tell pix to route anything to outside as long you have a default route in firewall and that the tunnel is terminated in your outside interface, firewall will know where to send the traffic based on crypto map tunnel information you give as well as ACL for the IPsec tunnel.

Say the destination host server on the other side is, the tunnel peer is your public IP pool is to and your inside LAN subnet is and we use policy 10 for this tunnel.

create destination host in firewall to be on the outside interface

asdm location outside

create in firewall peer tunnel IP address to be on the outside interface

asdm location oustide

Define local nat and global nat statements

global(outside)2 netmask

nat(inside) 2 access-list NEW-L2LTUNNEL

Create Ipsec Phase 1

isakmp key cisco address netmask no-xauth no-config-mode

isakmp policy 10 authen pre-share

isakmp policy 10 encrypt 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Create tunnel Phase 2

crypto ipsec transform-set esp-3des esp-sha-hmac

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set pfs group2

crypto map outside_map 10 set peer

crypto map outside_map 10 set transform-set

crypto map outside_map 10 set security-association lifetime seconds 28800 kilobytes 3600

Create access-list and crypto map acl

access-list NEW-L2LTUNNEL permit ip host

access-list outside_cryptomap_10 permit ip

crypto map outside_map interface outside

Again you will have to quote me on this one as I have not tested it but it is along these lines.

You can get some good ideas on these links like the overlaping example is good to strip scripts off these and create one based on requirements.




Community Member

Re: VPN tunnel using public IP's

You can use the nat policy functionality

with static translation for the tunnel to your vendor. refer below

access-list xxx permit ip host

static (inside,outside) access-list xxx

This maps an internal client to the vendor's translated IP address. so you can have this done for each client.note that the internet traffic will still go through the regular translation policy

CreatePlease to create content