[cisco-bba] Cisco ASA 5005 LAN-LAN with NAT
Steven Johnson
sjohnson at creditorsinterchange.com
Wed Oct 10 21:15:02 EDT 2007
I am trying to setup an ipsec tunnel. One of the requirements from the
people we are connecting to is we must appear to source the tunnel
from a public IP instead of the private ip of the box. I do not know
what model device they are using but I do know it is a checkpoint.
Ours is a Cisco ASA5505. Our config looks like this.
The other side uses a checkpoint and their hosts are also Nat'd. For the
purpose of this post I will call them Remote Peer1 and
Remote Peer2. Their Checkpoint VPN will be called Checkpoint Firewall
Remote Peer1 Static Nat to 2.2.2.2 --> Checkpoint --> ASA5505
--> Our Local host Static Nat'd to 3.3.3.2
Remote Peer2 Static Nat to 2.2.2.3 2.2.2.1
3.3.3.1
Am i missing something?
Thanks in advance,
Steve
interface Vlan1
nameif inside
security-level 100
ip address Private Address
interface Vlan2
nameif outside
security-level 0
ip address Public Address
access-list outside_in extended permit ip host Remote Peer1 host
Cubs_Outside log
access-list outside_in extended permit ip host Remote Peer2 host
Cubs_Outside log
access-list outside_in extended deny ip any host Cubs_Outside log
access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer1
access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer2
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Cubs_Outside Cubs_Inside netmask 255.255.255.255
access-group outside_in in interface outside
crypto ipsec transform-set The_Client esp-3des esp-sha-hmac
crypto map The_Client 1 match address From_Holtz
crypto map The_Client 1 set pfs
crypto map The_Client 1 set peer Checkpoint Firewall
crypto map The_Client 1 set transform-set The_Client
crypto map The_Client interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 20
tunnel-group Checkpoint Firewall type ipsec-l2l
tunnel-group Checkpoint Firewall ipsec-attributes
pre-shared-key *
Steven J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20071010/27e655a5/attachment.html
More information about the cisco-bba
mailing list