cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10030
Views
9
Helpful
8
Replies

ASA 5510 VPN - Using a public IP for the local network

leoruben2308
Level 1
Level 1

Hello, I have a problem which is probably very simple but I cant seem to figure it out.

I am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.

We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.

With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why  but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.

What is the method here? I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.

Any ideas ?

2 Accepted Solutions

Accepted Solutions

Hi Leo,

The steps are:

1- Add the Policy NAT rule for the specific host.

2- Define the NAT IP address as your LOCAL NETWORK in the crypto settings.

3- Make sure there is no NAT Exempt rule for this host to the specific destination.

What if you run a packet-tracer?

Thanks.

View solution in original post

nkarthikeyan
Level 7
Level 7

Hi Leo,

If you want to make use of the public ip for the communication over NAT/PAT in S2S. You can refer the below thread where its explained.

https://supportforums.cisco.com/message/3695160#3695160

Please do rate if the given information helps.

By

Karthik

View solution in original post

8 Replies 8

Hi Leo,

The steps are:

1- Add the Policy NAT rule for the specific host.

2- Define the NAT IP address as your LOCAL NETWORK in the crypto settings.

3- Make sure there is no NAT Exempt rule for this host to the specific destination.

What if you run a packet-tracer?

Thanks.

Hi Javier, Thanks for replying. The steps you outlined what I initially did (except I use normal static NAT entry, not Policy NAT. I have changed this to Policy NAT but the tunnel still does not want to initialise. I am not sure if the remote site admin has made some changed in the meanwhile but I will still need to test more.

On a side note, with Policy NAT, the destination address would be the host on the remote network, not the remote peer address right?

Ive attached the config (mostly relevant parts). The peer is 202.68.194.34 and remote host is 202.68.194.104

Hi Leo,

Thanks for the steps. I just got a similar request to configure a site-to-site VPN using public IP as local protected domain. The requirement looks like this..

SITE A: Protected Network (INSIDE interface) = 19.0.0.0/8

SITE A: ASA (OUTSIDE Interface) = 136.8.2.17

SITE B: Protected Network (INSIDE Interface) = 134.236.227.3/32

SITE B: ASA (OUTSIDE Interface) = 134.236.227.2/28

and my client (in SITE B) private LAN using 192.168.31.xxx and the Big boss (in SITE A) demand that we cannot my private IP as the ASA protected network. So I have to NAT this 192.168.31.xx to 134.236.227.3

Other parts of Site-to-Site VPN (such as create CryptoMap) are straight forward.

But the NAT is the most tricky part for me, but now it works, so I just want to share with others who might face the same challenge.

I want my traffic to look like this...

Real local ip (192.168.31.251) ==> NAT to 134.236.227.3 (INSIDE) ==> pick up by ASA as its interesting traffic ==> build Tunnel with SITE B

Since, I am now on ASA 9.6 code, we no longer use PolicyNAT, and I use ASDM to config.

ASDM > Configuration > NAT Rules > Add NAT Rule Before "Network Object" NAT Rule (Section1)

      Match Criteria : 

           Source Interface : INSIDE

           Source Address : Host 192.168.31.251/32

           Destination Interface : Any

           Destination Address : 19.0.0.0/8

    Action : Translated Packet

           Source NAT : STATIC

           Source Address : 134.236.227.3

           Destination Address : Original

and it's working now.. the tunnel is up and running. 

So, without your post, I will not be able to figure it out!

Thanks again.

For the "why": That's a quite common demand for companies with a huge amount of tunnels to different companies. If the remote network would be addressed with their internal addresses, it would be likely that some customers use the same RFC1918-range. When you connect to a public IP, it's quite unlikely to have duplicates. (well, unlikely doesn' mean impossible. I once had a customer who used public IP-space that didn't belong to them on their internal networks. They refused my proposal to renumber because they never had problems with that ...)

Sent from Cisco Technical Support iPad App

I see, that makes sense.

nkarthikeyan
Level 7
Level 7

Hi Leo,

If you want to make use of the public ip for the communication over NAT/PAT in S2S. You can refer the below thread where its explained.

https://supportforums.cisco.com/message/3695160#3695160

Please do rate if the given information helps.

By

Karthik

Leo,

That is correct, should be the remote network and not the peer IP.

Let us know if you have any further questions

Please rate any post you find useful.

I have a similar setup and I have the static NAT configuration but when I ping from behind the ASA to the remote site it does not work. When I ping from the ASA it does work. 

 

Any ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: