The requirement is for User which is a mobile user of Customer A to connect to Customer?s B VPN concentrator and open a IPSEC connection using Cisco VPN client.
User must also be authenticated when entering Customer A network and I am considering proxy authentication. So, before opening the vpn client, the user will initiate an http connection to R1 and authenticate itself to the ACS server using a username/password. If authentication is successful, an entry will be downloaded to the R1 inbound access-list to allow traffic from the IP of the authenticated user to the IP of the VPN concentrator.
The problem is that Customer B needs to know the IP addresses of users with vpn clients so that it can allow only traffic from this IP passing through R3 FW.
Since this is a mobile user it can connect from different places so he does not use a single IP.
Here are my thoughts/questions to address this issue:
1. Is it possible to assign User with a static IP when authentication with the ACS along with proxy authentication?
2. Can I use NAT outside at R1 so I translate user IP to a static IP? Do you see any issue with this implementation?
3. Is there another solution to achieve the above: 1. authentication of mobile users and static IP assignment?
Does the Concentrator have connectivity with Cust A's ACS server? I assume so. The best way to assign the remote client an IP address is to use an IP pool which is attached to the VPN user's group. Then Cust B would be able to build fw rules around this subnet. Be sure to use NARs to permit only authentication to the VPN and not any other RADIUS/TACACS+ clients. HTH.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...