Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec design problem

hi Guys,

i have a client they wanna access a server at some bank. the server has Public ip. the server is secured by check point firewall. at my end i have Cisco ASA 5510. the requirement from bank is that clients at my end must use public IP. i have public ip on the outside interface.from the requirement it seems that i need to configure IPSec in transport mode. can anyone help me what need to be configured.

regards

6 REPLIES
Cisco Employee

Re: IPSec design problem

Hi

Pls clarify the below:

1) is the client a ipsec client?

2) If yes, where is it terminating the ipsec connection?

If not, wouldn't it be just be needed to have the correct static / acl's open on both the firewalls?

Thanks

New Member

Re: IPSec design problem

hi,

well the client at my end is a windows machine. not running IPSec in any form. the termination end point for IPSec on my side is ASA.

regards

Cisco Employee

Re: IPSec design problem

Hi

Thanks for the clarification. So the ipsec is between ASA and checkpoint, right?

In that case, There is no need of transport mode etc. You can define the interesting traffic in the access-list for the ipsec on the ASA to be the actual ip's (public ip).

Please do let me know if this is clear.

Thanks

New Member

Re: IPSec design problem

Sounds like you just need to policy NAT to a public IP (could be outside IP) before encrypting the traffic across the VPN. So, instead of non-NAT'ed interesting traffic, the interesting traffic would be the public NAT IP to their public IP. NAT and VPN interesting traffic config parts example (does not include all VPN config) below...

access-list VPN-TRAFFIC permit ip host 200.1.1.1 host 209.1.1.1

access-list NAT-ACL permit ip 192.168.1.0 255.255.255.0 host 209.1.1.1

static (inside,outside) 200.1.1.1 access-list NAT-ACL

New Member

Re: IPSec design problem

hi everyone ,

first of all thanks a ton for giving me some time for ur busy schedules. well i tried this option also. what i did is static nat the private ip to the public ip. then make that as the intresting traffic for VPN. the creating the VPN tunnel . VPN tunnel comes up without issue. but i cannot ping the other end. which means there is still some issue. i tried both tunnel and transport mode.

let me know if i am missing something.

the problem is that this setup was running on ISA server. now client says that why cisco cannot do that.

regards

Cisco Employee

Re: IPSec design problem

Hi

Tunnle is coming up fine, which would mean phase 1 and phase 2 ok, right? sh cry ipsec sa, do u see encrypts and decrypts? If only encrypts , then either the packet is not coming back or the packet is dropped at the ASA.

Do you see anything in the ASA logs?

I assume you have the sysopt connection permit-vpn command in the configuration.

Thanks

121
Views
0
Helpful
6
Replies
CreatePlease to create content