Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
3
Replies

VPN with external ip

Go to solution
Freddy Andersen
Level 1
Level 1

‎05-22-2012 10:26 AM

Hi,

I need to setup a VPN tunnel from our 5200 ASA (8.2.1) using an external ip.

This is what I wanted todo but not sure how:

10.0.0.0/24 --> Global nat (66.0.0.135) -> VPN -> other side 47.0.0.47

I would like to have the ability to use any of my hosts on the 10.0.0.0 network to grab a NAT .135 and go through that VPN tunnel but I'm not sure that is possible..

My other option would be:

10.0.0.10 --> NAT 66.0.0.136 -> VPN -> other side 47.0.0.47

This is not a great solution since I need more than one internal host to talk to the .47 on the other end of the tunnel.

my inside interface has 10.0.0.0/24

my outside is 66.0.0.134/26

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rizwanr74
Level 7
Level 7

‎05-22-2012 11:02 AM

Hi Freddy,

What you need is policy-based static nat for site to site vpn tunnel.

Please follow Cisco doc link below, it explains how you can implement your soulution.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Please let me know, if this helps.

thanks

Rizwan Rafeek

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rizwanr74
Level 7
Level 7

‎05-22-2012 11:02 AM

Hi Freddy,

What you need is policy-based static nat for site to site vpn tunnel.

Please follow Cisco doc link below, it explains how you can implement your soulution.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Please let me know, if this helps.

thanks

Rizwan Rafeek

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to rizwanr74

‎05-22-2012 03:02 PM

it helps but now I get this:

global address overlaps with mask

access-list policy-nat extended permit ip 10.0.0.0 255.255.255.0 host 64.0.0.227

static (inside,outside) 66.0.0.128 access-list policy-nat

I have a global nat that translates ant to 66.0.0.135:

access-list nonat10 extended permit ip 10.0.0.0 255.255.254.0 192.168.200.0 255.255.255.0

global (outside) 1 66.0.0.135 netmask 255.255.255.192

nat (inside) 0 access-list nonat10

nat (inside) 1 0.0.0.0 0.0.0.0

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7
In response to Freddy Andersen

‎05-22-2012 06:15 PM

Hi Freddy,

You do not have use all the IPs in the pool for policy-static nat but you can use use just a single IP alone.

Please follow the config below.

static (inside,outside) 66.0.0.135 access-list policy-nat

Please let me know,

If this helps.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents