[cisco-bba] Cisco ASA 5005 LAN-LAN with NAT

Steven Johnson sjohnson at creditorsinterchange.com
Wed Oct 10 21:15:02 EDT 2007 

I am trying to setup an ipsec tunnel. One of the requirements from the
people we are connecting to is we must appear to source the tunnel

from a public IP instead of the private ip of the box. I do not know
what model device they are using but I do know it is a checkpoint.

 

Ours is a Cisco ASA5505. Our config looks like this.

 

The other side uses a checkpoint and their hosts are also Nat'd. For the
purpose of this post I will call them Remote Peer1 and 

Remote Peer2. Their Checkpoint VPN will be called Checkpoint Firewall

 

Remote Peer1 Static Nat to 2.2.2.2   -->    Checkpoint -->    ASA5505
-->              Our Local host Static Nat'd to 3.3.3.2

Remote Peer2 Static Nat to 2.2.2.3             2.2.2.1
3.3.3.1

 

Am i missing something?

 

Thanks in advance,

 

Steve

 

interface Vlan1

nameif inside

security-level 100

ip address Private Address

 

interface Vlan2

nameif outside

security-level 0

ip address Public Address

 

access-list outside_in extended permit ip host Remote Peer1 host
Cubs_Outside log

access-list outside_in extended permit ip host Remote Peer2 host
Cubs_Outside log

access-list outside_in extended deny ip any host Cubs_Outside log

 

access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer1

access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer2

 

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) Cubs_Outside Cubs_Inside netmask 255.255.255.255

access-group outside_in in interface outside

 

crypto ipsec transform-set The_Client esp-3des esp-sha-hmac

crypto map The_Client 1 match address From_Holtz

crypto map The_Client 1 set pfs

crypto map The_Client 1 set peer Checkpoint Firewall

crypto map The_Client 1 set transform-set The_Client

 

crypto map The_Client interface outside

 

crypto isakmp enable outside

 

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp nat-traversal  20

tunnel-group Checkpoint Firewall type ipsec-l2l

tunnel-group Checkpoint Firewall ipsec-attributes

pre-shared-key *

 

Steven J

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-bba/attachments/20071010/27e655a5/attachment.html

More information about the cisco-bba mailing list