cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
0
Helpful
7
Replies

Cisco ASA5520 Facing ISP with private IP address. How to route IPSec VPN accross the internet?

Eric Boadu
Level 1
Level 1

Hello guys,

I have Cisco ASA5520 that is facing ISP with private IP address. We have no router and how to route IPSec VPN accross the internet?

Firewall config:

Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100

I have public IP block 199.9.9.1/28

How can I use the public IP address to create IPSec VPN tunnel between two sites accross the internet?

should I assign one public IP address on the Gig1 inside interface with security-level 100 and how to apply the inside to route on this interface?

If I configure >>firewall inside Gi1 interface ip address 199.9.9.1/28 with security-level 100. How do I make sure VPN traffic route through this interface accross the internet?

I am used to assigning public IP address to outside interface of the firewall and private IP address to inside interface.

Please help with configuration examples and advise.

Thanks,

Eric

7 Replies 7

Eric Boadu
Level 1
Level 1

Any possible solutions please????

Thanks,

Eric

This configuration guide oncreating a VPN tunnel over the Internet will help you get started.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Thank you so much Sean and I'm planing to putting router infront of the firewall and work with my ISP for possible performing 1to1 translation or pat dynamic nat.

Thanks,

Eric

Recommed you get a cisco rotuer with adsl so you can either use PPPoE on asa, or elimiante teh ASA and everything on the router.

thank you P, I'm planing to add router and work with  my ISP for possible performing 1to1 translation or pat dynamic nat. Management Requirement I must use the firewall and eliminate router if possible.

Thanks,

Eric

Router do firewall too, show you management the cisco doc about it.

Yes, I tried to add Router but it is not an option. So,  your advice on this config will be very appreciated

Hi, My ISP confirmed that the public IP address is resgister with the private.My only option is to use ASA firewall without a Router. ASA Firewall facing >>ISP with private IP address. How can I utilize the public IP address to initiate VPN site-to-site tunnel? I thought of using global PAT below. Can this config using interface Gi2 199.9.9.1 to initiate VPN tunnel with other office will work? Please advice with your best examples

CiscoASA#interface Gi0

CiscoASA#nameif outside

CiscoASA#address 10.0.1.2 255.255.255.255.0

CiscoASA#security-lvel 0p

CiscoASA#interface Gi1

CiscoASA#nameif inside

CiscoASA#192.168.1.1 255.255.255.0

CiscoASA#security-level 100

CiscoASA#igmp forward interface ouside

CiscoASA#interface Gi2

CiscoASA#nameif inside

CiscoASA#security-level 50

CiscoASA#ip address 199.9.9.1 255.255.255.0

CiscoASA#igmp forward interface ouside

CiscoASA#same-security-traffic permit intra-interface

CiscoASA#access-list outside in extended permit icmp any any

CiscoASA#access-list outside in extended permit tcp any any

CiscoASA#global (inside, outside) 1 199.9.9.2 netmask 255.255.0.0

CiscoASA#global (outside, inside) 1 10.0.1.2 255.255.255.0

CiscoASA#nat (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 10.0.1.1 1

Thanks,

Eric

Firewall outside Gi0 interface 10.0.1.2 >>>>>ISP 10.0.1.1 with security-level 0

Firewall inside Ethernet0 interface 192.168.1.1 >>>>LAN switch 192.168.1.2 with security-level 100

I have public IP block 199.9.9.1/28

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: