Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: BBA

Cisco ASA 5005 LAN-LAN with NAT

 

 

Cisco bba RSS feed   Index | Next | Previous | View Threaded


sjohnson at creditorsinterchange

Oct 10, 2007, 6:15 PM

Post #1 of 1 (5938 views)
Permalink
Cisco ASA 5005 LAN-LAN with NAT

I am trying to setup an ipsec tunnel. One of the requirements from the
people we are connecting to is we must appear to source the tunnel

from a public IP instead of the private ip of the box. I do not know
what model device they are using but I do know it is a checkpoint.



Ours is a Cisco ASA5505. Our config looks like this.



The other side uses a checkpoint and their hosts are also Nat'd. For the
purpose of this post I will call them Remote Peer1 and

Remote Peer2. Their Checkpoint VPN will be called Checkpoint Firewall



Remote Peer1 Static Nat to 2.2.2.2 --> Checkpoint --> ASA5505
--> Our Local host Static Nat'd to 3.3.3.2

Remote Peer2 Static Nat to 2.2.2.3 2.2.2.1
3.3.3.1



Am i missing something?



Thanks in advance,



Steve



interface Vlan1

nameif inside

security-level 100

ip address Private Address



interface Vlan2

nameif outside

security-level 0

ip address Public Address



access-list outside_in extended permit ip host Remote Peer1 host
Cubs_Outside log

access-list outside_in extended permit ip host Remote Peer2 host
Cubs_Outside log

access-list outside_in extended deny ip any host Cubs_Outside log



access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer1

access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer2



global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) Cubs_Outside Cubs_Inside netmask 255.255.255.255

access-group outside_in in interface outside



crypto ipsec transform-set The_Client esp-3des esp-sha-hmac

crypto map The_Client 1 match address From_Holtz

crypto map The_Client 1 set pfs

crypto map The_Client 1 set peer Checkpoint Firewall

crypto map The_Client 1 set transform-set The_Client



crypto map The_Client interface outside



crypto isakmp enable outside



crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp nat-traversal 20

tunnel-group Checkpoint Firewall type ipsec-l2l

tunnel-group Checkpoint Firewall ipsec-attributes

pre-shared-key *



Steven J

Cisco bba RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.