Re: ASA IPSec question

On Feb 11, 1:51 pm, bn...@xxxxxxxx wrote:
On Feb 9, 11:35 pm, bod43 <Bo...@xxxxxxxxxxxxx> wrote:



On 9 Feb, 22:41, Darren Green <darrenfgr...@xxxxxxxxxxxxx> wrote:

On Feb 9, 3:08 pm, bn...@xxxxxxxx wrote:

I have been trying real hard to figure this out but now I am wondering
if it is possible at all. We have a customer who wants to setup an
IPSec vpn tunnel with them to securely transfer files. The
configuration is below

                                                           Customer's
server

|
                                                           CheckPoint
FW (Tunnel endpoint)

|

Internet

|
Server in DMZ (Private IP)------------------------------ ASA (Tunnel
endpoint)

The tunnel is created fine but I can't pass any traffic to them and my
suspicion is that it is due to NAT. We are NATing the private IP from
our server to a public IP (static NAT) , but the customer only will
allow public IPs for our encryption domain, not the private IP that is
actually in use. At the heart of this I believe this to be a routing
problem (the customer's server doesn't know how to get back to our
network and/or if it does come back, it isn't getting back to the
correct private IP. I know that NAT and IPSec don't mix, but looking
at that further that was more for AH types and this is ESP.
    So my basic question here is: is this possible to do with this
setup through the ASA   and if so how?

Thanks for your input,

Ted

Hi Ted,

When looking at the diagram in my WWW browser it was all skewed.
Reading the text I sort of got the impression that you wanted to set
up a public to public VPN, if I am mistaken my apologies.

I just wanted to make a point about NAT and IPSEC. Nat happens before
encryption when you are sending traffic (& the reverse inbound). There
are a number of articles on Cisco.com that explain this. Whatever you
are trying to achieve just picture this first. When your traffic is
NAT'd your crypto acl's will include the translated address. The
remote end would just need a route back to the same address. NAT
doesn't have to break the VPN.

There is pne thing that I think might be needed here that is
not necessarily obvious.

I think that you need a route in your ASA pointing to the
"public IP" with the next hop in your DMZ.

e.g.
ip route public-IP 255.255.255.255 any-address-in-your-dmz

The any-address-in-your-dmz does not even have to exist.
It will never actually be used since the NAT process
will do its stuff before the packet gets to the DMZ interface.

I think it is needed though to direct the traffic in the right
direction when it comes into the router.

See for example:-http://www.cisco.com/application/pdf/paws/6209/5.pdf
ip nat inside source static 171.68.200.48 172.16.47.150
ip route 171.68.200.0 255.255.255.0 172.16.47.162

The route is *never* used to send traffic since packets
entering the router with the dest 171.68.200.48
get the dest changed to 172.16.47.162 but
the command is there in the example all the same.

I know that the link refers to IOS and not to PIX/ASA
but I have had to do the same thing on
Checkpoint too.

I am slightly confused frankly with this but I for
sure have had to do something similar from time
to time.

Thanks for the ideas. I found this documentation on Cisco's site
(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
products_configuration_example09186a00808c9950.shtml) which best
depicts my situation and found out that I indeed was configuring it
like this already but it still doesn't work. As I have some example to
go by, I have contacted the other company in an effort to try and see
if they can see any traffic trying to go across the tunnel. I also did
try the extra route command as well but that didn't seem to have any
effect. Having so many different variables and not being in control of
the other side of the tunnel is making me a bit crazy. The other
company gave me an IP to ftp to through the tunnel for test, but I am
now even questioning if that is right, as that too would explain why
the traffic isn't going across.

Thanks,

Ted

The hyperlink didn't get fully captured right, so if you check out the
example on Cisco's site is it called "PIX/ASA 7.x and later: Site to
Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks)
Configuration Example "

Thanks,

Ted
.