08-04-2008 01:21 PM - edited 02-21-2020 03:52 PM
Hi,
i want to configure site-to-site ipsec vpn on ASA 5520 for remote branches. Earlier there used pptp clients connect through firewall to inside pptp server. For translate pptp session to inside server, through ASA i must use static nat, because it use GRE. Maybe someone knows how i can simultaneously use old pptp connections and ipsec site-to-site? Is there a possibility to disable nat for ipsec, and enable static nat for pptp connections(nat policy?)if have only one outside IP?
thanks in advance.
08-04-2008 07:02 PM
u mean u want ur pptp go to server behind the firewall and the ipsec terminate on the ASA itself??
08-04-2008 10:16 PM
yes.if that is possible
08-04-2008 10:36 PM
make static pat for pptp traffic regarding u have put two statment one for pptp port and one for gre
i will make statment forwarding port 80
u do the same thing only replace the port and put the required ports for pptp and another one for gre
i will assume ur outside public address is 10.1.1.1 and ur internal server ip 20.1.1.1
static(inside,outside) tcp 10.1.1.1 80 20.1.1.1 80 netmask 255.255.255.255
u can use tcp or udp
and make statment for each port
for ipsec because u r terminating the session on the outside interface it self u dont need any pating
but what u need
u need somthing called nat exmption
or nat 0
this will prevent the traffic going from ur site to the remot site from being nated and just go directly through the IPsec tunnels
lets say ur remite site private network is 192.168.1.0/24
and ur private network is 20.1.1.0./24
do:
access-list 100 permit ip 20.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
good luck
and if u need any more info just post it here
please, if helpful Rate
08-04-2008 11:22 PM
marwan, thank you for fast response.i will try this.I though that pptp will work only with static nat,like this example:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml#pptpwith
. And also look please this link:http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0f962
08-05-2008 06:13 AM
cool try all concept
and if u need anymore details post here
if helpful post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: