Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 VPN - Using a public IP for the local network

Hello, I have a problem which is probably very simple but I cant seem to figure it out.

I am setting up a site to site IPsec connection with a company, something which I have done many times before without trouble. I use ASDM to configure this as it is quick and painless, usually.

We have a number of other site to site connections currently configured and working fine on this ASA, these are configured with the 'Protected network - Local network' configured with the private IP's of the hosts within our network we want to make available through the seperate tunnels. This includes the configuration setting on our ASA for each connection to 'Exempt ASA side hosts from NAT'.

With this new connection however, the company has asked us to use a public IP for the host we want them to reach through the tunnel. I am not sure why  but they demand it. So I added a NAT rule for the inside host, and configured the connection with the public IP under 'Local Network'. When testing to try reach a host on their side, the tunnel does not even attempt to initiate.

What is the method here? I cant see where I am going wrong. I am guessing the 'Exempt ASA side host from NAT' does not require to be set for this, as how else would the ASA know which internal host the public IP relates to.

Any ideas ?

  • VPN
2 ACCEPTED SOLUTIONS

Accepted Solutions

ASA 5510 VPN - Using a public IP for the local network

Hi Leo,

The steps are:

1- Add the Policy NAT rule for the specific host.

2- Define the NAT IP address as your LOCAL NETWORK in the crypto settings.

3- Make sure there is no NAT Exempt rule for this host to the specific destination.

What if you run a packet-tracer?

Thanks.

ASA 5510 VPN - Using a public IP for the local network

Hi Leo,

If you want to make use of the public ip for the communication over NAT/PAT in S2S. You can refer the below thread where its explained.

https://supportforums.cisco.com/message/3695160#3695160

Please do rate if the given information helps.

By

Karthik

7 REPLIES

ASA 5510 VPN - Using a public IP for the local network

Hi Leo,

The steps are:

1- Add the Policy NAT rule for the specific host.

2- Define the NAT IP address as your LOCAL NETWORK in the crypto settings.

3- Make sure there is no NAT Exempt rule for this host to the specific destination.

What if you run a packet-tracer?

Thanks.

New Member

ASA 5510 VPN - Using a public IP for the local network

Hi Javier, Thanks for replying. The steps you outlined what I initially did (except I use normal static NAT entry, not Policy NAT. I have changed this to Policy NAT but the tunnel still does not want to initialise. I am not sure if the remote site admin has made some changed in the meanwhile but I will still need to test more.

On a side note, with Policy NAT, the destination address would be the host on the remote network, not the remote peer address right?

Ive attached the config (mostly relevant parts). The peer is 202.68.194.34 and remote host is 202.68.194.104

New Member

Hi Leo,

Hi Leo,

Thanks for the steps. I just got a similar request to configure a site-to-site VPN using public IP as local protected domain. The requirement looks like this..

SITE A: Protected Network (INSIDE interface) = 19.0.0.0/8

SITE A: ASA (OUTSIDE Interface) = 136.8.2.17

SITE B: Protected Network (INSIDE Interface) = 134.236.227.3/32

SITE B: ASA (OUTSIDE Interface) = 134.236.227.2/28

and my client (in SITE B) private LAN using 192.168.31.xxx and the Big boss (in SITE A) demand that we cannot my private IP as the ASA protected network. So I have to NAT this 192.168.31.xx to 134.236.227.3

Other parts of Site-to-Site VPN (such as create CryptoMap) are straight forward.

But the NAT is the most tricky part for me, but now it works, so I just want to share with others who might face the same challenge.

I want my traffic to look like this...

Real local ip (192.168.31.251) ==> NAT to 134.236.227.3 (INSIDE) ==> pick up by ASA as its interesting traffic ==> build Tunnel with SITE B

Since, I am now on ASA 9.6 code, we no longer use PolicyNAT, and I use ASDM to config.

ASDM > Configuration > NAT Rules > Add NAT Rule Before "Network Object" NAT Rule (Section1)

      Match Criteria : 

           Source Interface : INSIDE

           Source Address : Host 192.168.31.251/32

           Destination Interface : Any

           Destination Address : 19.0.0.0/8

    Action : Translated Packet

           Source NAT : STATIC

           Source Address : 134.236.227.3

           Destination Address : Original

and it's working now.. the tunnel is up and running. 

So, without your post, I will not be able to figure it out!

Thanks again.

VIP Purple

Re: ASA 5510 VPN - Using a public IP for the local network

For the "why": That's a quite common demand for companies with a huge amount of tunnels to different companies. If the remote network would be addressed with their internal addresses, it would be likely that some customers use the same RFC1918-range. When you connect to a public IP, it's quite unlikely to have duplicates. (well, unlikely doesn' mean impossible. I once had a customer who used public IP-space that didn't belong to them on their internal networks. They refused my proposal to renumber because they never had problems with that ...)

Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5510 VPN - Using a public IP for the local network

I see, that makes sense.

ASA 5510 VPN - Using a public IP for the local network

Hi Leo,

If you want to make use of the public ip for the communication over NAT/PAT in S2S. You can refer the below thread where its explained.

https://supportforums.cisco.com/message/3695160#3695160

Please do rate if the given information helps.

By

Karthik

ASA 5510 VPN - Using a public IP for the local network

Leo,

That is correct, should be the remote network and not the peer IP.

Let us know if you have any further questions

Please rate any post you find useful.

1973
Views
4
Helpful
7
Replies
This widget could not be displayed.