cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
935
Views
0
Helpful
1
Replies

Outside interface non-routable address

ryan.gutierrez
Level 1
Level 1

Greetings all,

I am currently working with a vendor to get my ASA5520 setup to handle IPsec VPN connections for my clients and we are stumped with how to get the outside interface to respond to connections/requests.

I work for a state agency and our network connectivity is provided to us by another agency/department.  The firewall I want to use for VPN connectivity has an outside address of 10.0.8.162 which is not routable outside the state's network.  I have been assigned a set of public IP addresses for servers in my DMZ and I am wondering if it is possible to configure the ASA to utilize one of those public IP addresses for VPN communication.  My DMZ network is setup as a local 192.168.10.0 network and the ASA is performing NAT translations to the corresponding public IP addresses.

I was toying around with the idea of putting in a NAT rule to translate one of the public IP addresses to the 10.0.8.162 outside interface, but I wasn't sure if that would work.

Thanks for all your help and feel free to let me know if I'm crazy and it's not going to work.

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

You should try to get the other agency to assign a static NAT for your 10.0.8.162. Then your clients can point to that public IP and you will receive their requests intact with only your address changed to its real value.

I don't think you can "fool" the ASA into NATting its own outside address for traffic whose destination is the ASA itself (e.g the IPsec VPN session establishment and maintenance)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: