i have a client they wanna access a server at some bank. the server has Public ip. the server is secured by check point firewall. at my end i have Cisco ASA 5510. the requirement from bank is that clients at my end must use public IP. i have public ip on the outside interface.from the requirement it seems that i need to configure IPSec in transport mode. can anyone help me what need to be configured.
Sounds like you just need to policy NAT to a public IP (could be outside IP) before encrypting the traffic across the VPN. So, instead of non-NAT'ed interesting traffic, the interesting traffic would be the public NAT IP to their public IP. NAT and VPN interesting traffic config parts example (does not include all VPN config) below...
access-list VPN-TRAFFIC permit ip host 18.104.22.168 host 22.214.171.124
access-list NAT-ACL permit ip 192.168.1.0 255.255.255.0 host 126.96.36.199
first of all thanks a ton for giving me some time for ur busy schedules. well i tried this option also. what i did is static nat the private ip to the public ip. then make that as the intresting traffic for VPN. the creating the VPN tunnel . VPN tunnel comes up without issue. but i cannot ping the other end. which means there is still some issue. i tried both tunnel and transport mode.
let me know if i am missing something.
the problem is that this setup was running on ISA server. now client says that why cisco cannot do that.
Tunnle is coming up fine, which would mean phase 1 and phase 2 ok, right? sh cry ipsec sa, do u see encrypts and decrypts? If only encrypts , then either the packet is not coming back or the packet is dropped at the ASA.
Do you see anything in the ASA logs?
I assume you have the sysopt connection permit-vpn command in the configuration.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :