03-19-2010 09:45 PM - edited 03-04-2019 07:52 AM
Hello guys,
I have Cisco ASA5520 that is facing ISP with private IP address. We have no router and how to route IPSec VPN accross the internet?
Firewall config:
Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0
Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100
I have public IP block 199.9.9.1/28
How can I use the public IP address to create IPSec VPN tunnel between two sites accross the internet?
should I assign one public IP address on the Gig1 inside interface with security-level 100 and how to apply the inside to route on this interface?
If I configure >>firewall inside Gi1 interface ip address 199.9.9.1/28 with security-level 100. How do I make sure VPN traffic route through this interface accross the internet?
I am used to assigning public IP address to outside interface of the firewall and private IP address to inside interface.
Please help with configuration examples and advise.
Thanks,
Eric
03-20-2010 04:55 AM
Any possible solutions please????
Thanks,
Eric
03-20-2010 05:16 AM
This configuration guide oncreating a VPN tunnel over the Internet will help you get started.
03-20-2010 12:24 PM
Thank you so much Sean and I'm planing to putting router infront of the firewall and work with my ISP for possible performing 1to1 translation or pat dynamic nat.
Thanks,
Eric
03-20-2010 05:22 AM
Recommed you get a cisco rotuer with adsl so you can either use PPPoE on asa, or elimiante teh ASA and everything on the router.
03-20-2010 12:31 PM
thank you P, I'm planing to add router and work with my ISP for possible performing 1to1 translation or pat dynamic nat. Management Requirement I must use the firewall and eliminate router if possible.
Thanks,
Eric
03-22-2010 05:35 AM
Router do firewall too, show you management the cisco doc about it.
03-23-2010 05:23 PM
Yes, I tried to add Router but it is not an option. So, your advice on this config will be very appreciated
Hi, My ISP confirmed that the public IP address is resgister with the private.My only option is to use ASA firewall without a Router. ASA Firewall facing >>ISP with private IP address. How can I utilize the public IP address to initiate VPN site-to-site tunnel? I thought of using global PAT below. Can this config using interface Gi2 199.9.9.1 to initiate VPN tunnel with other office will work? Please advice with your best examples
CiscoASA#interface Gi0
CiscoASA#nameif outside
CiscoASA#address 10.0.1.2 255.255.255.255.0
CiscoASA#security-lvel 0p
CiscoASA#interface Gi1
CiscoASA#nameif inside
CiscoASA#192.168.1.1 255.255.255.0
CiscoASA#security-level 100
CiscoASA#igmp forward interface ouside
CiscoASA#interface Gi2
CiscoASA#nameif inside
CiscoASA#security-level 50
CiscoASA#ip address 199.9.9.1 255.255.255.0
CiscoASA#igmp forward interface ouside
CiscoASA#same-security-traffic permit intra-interface
CiscoASA#access-list outside in extended permit icmp any any
CiscoASA#access-list outside in extended permit tcp any any
CiscoASA#global (inside, outside) 1 199.9.9.2 netmask 255.255.0.0
CiscoASA#global (outside, inside) 1 10.0.1.2 255.255.255.0
CiscoASA#nat (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 10.0.1.1 1
Thanks,
Eric
Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0
Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100
I have public IP block 199.9.9.1/28
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: