VPN site to Site on firewall with no public IP address

Dear all,

I have a VPN from Site to Site configuration requirement with accommodation, I have my internet connection on the router termintaed and got only a single public ip address. My ASA is behind this router with no public IP (attached chart). This router will not support VPN and I need to configure VPN on the firewall.

192.168.20.0/24 is the network between the router and firewall. 192.168.10.0/24 is inside the network. (attached diagram have the most details)

Please advice the configuration to achieve this...

Thanks in advance...

Mikael

If the router cisco so the configuration would be:

IP nat inside source static udp 192.168.20.2 500 500 extensible interface

IP nat inside source static udp 192.168.20.2 interface 4500 4500 extensible

Tags: Cisco Security

Similar Questions

  • EBS 12i on Cloud server with the public IP address but no DMZ

    Hello

    I installed Oracle EBS in a server (such as AWS EC2) cloud with a public IP address. I'm simply looking for personal learning and knowledge about security risks. As there is no given production safety is not serious at this point.

    Also, I don't mean to enter the configurations of the DMZ at the moment.

    I am able to access APPS internally under the server on port 8000 with URL http://<server:8000>/OA_HTML/AppsLogin. but I'm unable to access the URL above on internet.


    The environment is EBS 12.2.0 on Oracle Linux 5.11.


    I tried the options following, but so far without success.

    1. I tried to completely disable the Linux and SELinux firewall on the server. I have also authorized above URL in my personal office. So the 8000 port is not blocked anywhere.

    2, I followed this note to try to set it up on port 80, but still without success-> configuration Oracle E-Business Suite Release 12 on Amazon Cloud Infrastructure (Doc ID 1205963.1). But you should know that mine isn't on AWS EC2 but similar model.

    So simple question is how can I access front-end EBS on internet (DMZ) using port 8000? I do need to update httpd.conf of EBS Webtier (besides point 2 above)?

    Any help will be greatly appreciated. Thank you.

    See you soon!

    Gray

    Hello

    I discovered that I was using the CDN was blocking port 8000. So when I bypassed the CDN, then I could manage to access the URL with the port 8000.

    Thanks a lot for your help on this one.

    Concerning

    Gray

  • Configure the router WRT54G with the PUBLIC IP address and use the DHCP protocol for internal computers

    Hello

    I have a service online Internet with 5 public IP addresses.

    The router and the AP are connected to a switch.

    I would like to set up a WRT54G Router with a public IP address and use DHCP (with private ip address) for the computers that will connect to the AP.

    That the AP is connected to the switch, it is possible that the other wired computers that are connected to the same switch can get an IP from the DHCP?

    Thanks in advance

    In this case, the routing is automatic.

    WRT54G configuration:

    WAN:

    Internet connection: static IP address

    IP address: 180.X. X 170

    Subnet mask: 255.255.255.248

    Gateway: 180.x.x.x (Ex: 180.x.x.1)

    DNS: servers your ISP DNS

    LAN:

    The IP address of the router: 10.10.10.1

    DHCP range: 10.10.10.100 of-online 10.10.10.200

  • EX90 two autonomous with the public IP address can make video calls among them self on the Internet or not?

    Dear expert;

    I am very new to VCS and TP Cisco.

    We implement now presence Cisco TV with VCS - C, VCS-E TMS, TCS, MCUS and endpoints with Jabber in a single edit.

    and in another configuration CUCM 10.5, UCCX 10.5 IM & P, Jabber with some 10 officers.

    Now the question is in our building on the 2nd floor we have an EX90 and on the 5th floor an EX90 and on local network, we can make video calls using the IP address.

    In the same way is it possible to make a video call between 2 devices EX90 (both have public IP) present in a location different in the same city on the Internet without the participation of VCS - C and VCS-E.

    It's the client request :)

    Concerning

    Paiva

    Yes, but leaving these systems outside in nature with public IP addresses, leaving you are vulnerable to a number of questions. See for example http://www.videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/

    https://supportforums.Cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls

    https://supportforums.Cisco.com/discussion/12340591/nuisance-h323-calls-SX20

    The offers above with H.323 calls, in addition to this, you will encounter similar problems using SIP where the systems will be analyzed by tools such as SIPVicious

    /Jens

    Please note the answers and mark questions as "answered" as appropriate

  • The VPN Site - to-many with PIX 6.3 (5) Can you do?

    Hello

    I set up a VPN tunnel between two PIX (for example, A PIX and PIX B) running 6.3 (5). It works very well. I then tried to add another VPN to PIX A tunnel to a new PIX C. It does not work! It seems that I can only assign a card encryption, and therefore a tunnel, in a phyical interface on the PIX. Is this good? I assumed that you can run several VPN tunnels since a single physical interface.

    All advice warmly received!

    Concerning

    Paul

    You can use something like this

    map VPN-map 10 ipsec-isakmp crypto

    VPN - 10 card crypto card matches the address B - VPN

    card crypto VPN-map 10 set peer b.b.b.b

    card crypto VPN-map 10 the transform-set ESP-AES256-MD5 value

    card crypto VPN - ipsec-isakmp 20

    VPN - card 20 crypto card matches the address C - VPN

    card crypto VPN-card 20 set peer c.c.c.c

    card crypto VPN-card 20 the transform-set ESP-AES256-MD5 value

  • ACCESS SITE OF COMPUTER-IN-SAME-N/W WITH ITS PUBLIC IP ADDRESS

    My site is hosted on the port 8084 on my laptop. The internet address of my laptop is 116.202.21.218.
    On the browser of the computer laptop while dealing with *: 8084 I can access my Web site.
    My laptop is connected to my laptop over wi - fi with ip 192.168.137.70.
    Web page if the address of the site Web in the mobile browser is written as 192.168.137.1: 8084.
    but 116.202.21.218:8084 does not work on the mobile browser. I use the dial-up connection and I made the card settings
    This wi - fi network can use the internet connection through the network.
    116.202.21.218 is a 192.168.137.70 with TCP (MICROSOFT N/W MONITOR) but the client sends signals SYN again and again.
    I want my site consulted by my mobile browser. How?
    I need help. Thanking in advance...

    Hi Hriskesh,

    I suggest you to post the question on the link below. This is the link from Technet Support for Windows 7.

    http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

    Feel free to write us if you have any further questions. We will help you to come.

  • What is VPN works with broad public IP address?

    Hello

    If I use the public broad IP (for example 100.100.x.x) for my business network, and I intend to use VPN to connect to my remote desktop. Which will display a problem? Will it be any impact?

    My concern is that I could send Cliaa IP addresses of the internet that could cause a conflict. Can anyone clear my doubts about this.

    Thank you!!!

    Hello

    If you are going to do a VPN Lan to Lan (site-to-site) tunnel n/b, your remote and your office, it won't cause any problems if you have (routable) addresses to public IP configured on your home LAN to your office, because by default the IPSec Tunnel mode is used when configuring LAN LAN tunnels, tunnel mode adds an extra header routable This header has the IP source and destination based on your local and remote IKE peer IP addresses instead of your IPs inside, your interior IPs remain hidden within the header of the tunnel, no matter what they contain IP addresses.

    If its possible without impact.

    Thank you

    AFAQ

  • ASA vpn with a public ip address different addresses

    Hello world. I can not find someone who can give me an answer 'for sure' of this thing. I want to connect via vpn ASA5505, called 2A and b. inside one we have net 10.0.0.0/24 and 10.0.1.0/24 net b. now, we can have 2 outside for one ip addresses (e.g. 215.18.18.10 and 222.26.12.12) because we have 2 providers to connect to the internet. the asa can follow 2 VPN - with the same cryptomap for the destination inside) so that if a grave he will switch to the other vpn by itself?

    This thing can be done with other cisco devices (for example, a 2800 series router?)

    Thank you very much

    Who are you looking to

    1. If the failure of the connection to B then A will use secondary WAN connection to try to raise the tunnel.

    I would use the backup ISP for this function.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

    2. If the connection to A failed then B will try to set up the tunnel with secondary address peer.

    You can set several counterparts by using cryptographic cards to provide redundancy

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a0080450b73.html#wp1042941

  • Site to Site VPN between ISR4331(Data Center) and 25 branches with RV042 and dynamic public IP address

    Hi, we just got router ISR4331. We will use this router to our datacenter as pummel hub. Not to mention that it will be the static IP address. Our goal is to connect 30 small offices to the Datacenter by VPN site-to-site. All of our offices a RV042 router and DSL connection, so dynamic public IP. How to accomplish this task. Before the VPN connection is stable and the need not to configure tunnels frequently.

    Thank you

    GM

    Hello

    Please check the config below:

    HUBS:

    crypto ISAKMP policy 1

     BA 3des
    md5 hash
    preshared authentication
    Group 2
    life 86400
    crypto isakmp secretkey key address 0.0.0.0 0.0.0.0 (Having said that the dynamic router HUB remote routers have public ip address)
    Describe your valuable traffic. Note that I have sepcified for both tunnels, but basically, it will be the same for the rest out for the destination. For example, I used 192.168.1.0/24 and 192.168.2.0/24. You will need to replace it with your existing installation.
    TUN1 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    TUN2 extended IP access list
    ip permit 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    Create your strategy to Phase 2
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    card crypto S2STUN 1-isakmp dynamic ipsec HUB_TUN
    crypto dynamic-map HUB_TUN 10

    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN1
    !
    crypto dynamic-map HUB_TUN 11
    86400 seconds, life of security association set
    game of transformation-TS
    match address TUN2
    Now apply the card encryption to your WAN interface
    gi0/1 interface
    card crypto S2STUN
    Now configure on your remote routers
    Remote router 1
    crypto ISAKMP policy 1
    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB
    Remote router 2
    crypto ISAKMP policy 1

    BA 3des

    md5 hash
    preshared authentication
    Group 2
    life 86400
    !
    ISAKMP crypto secretkey key address x.x.x.x (replace with your public ip address of the HUB)
    !
    TUNNEL TRAFFIC extended IP access list
    ip licensing 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    Crypto ipsec transform-set esp-3des esp-md5-hmac TS
    !
    crypto card TUN_TO_HUB 10 ipsec-isakmp
    defined peer x.x.x.x (replace with your public ip address of the hub)
    game of transformation-TS
    match address TRAFFIC TUNNEL
    !
    gi0/1 interface
    card crypto TUN_TO_HUB

    HTH.
    Evaluate the useful ticket.
    Kind regards
    Terence

  • VPN site to Site with an ASA behind Port Forwarding device

    Hi, I want to configure a VPN from Site to site with an ASA with a public static IP adress and other ASA located behind a device with a public IP address that can forward ports to the ASA.

    I have found no documentation for this configuration in the Cisco KB, anyone have a link for me or a brief description of the requirements?

    Thank you

    Tobias

    Hello

    Take a look at this documentation

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094ecd.shtml

    Hope this helps

    -Jouni

  • Confusion of access VPN site to Site list

    Hi all

    I was wondering if someone could help me explain access lists when the configuration site to site VPN tunnels. Basically, I used this guide to create nearly a GNS3 lab to make me understand IPSec etc tunnels.

    http://commonerrors.blogspot.co.UK/2011/09/site-to-site-VPN-CLI-configuration-on.html

    It is this config works and my confusion is on the ACL they use. There is no mention of the internal subnet 10.1.1.1 on US router subnet but Pakistan a range 172.16.x.x internal in ACLs (but no it's external ISP IPs)

    Why it works? This configuration is incorrect?

    With these tunnels VPN site-to-site, what the source/destination IP address ranges should be in them?

    Any help or information would be great.

    Thank you

    Paul

    With the crypto ACL, the source must be the local LAN subnet and the destination should be the Remote LAN subnet. Crypto ACL defines interesting traffic that you want to encrypt remote and local peer.

    The external interface of the router (generally the one with the public IP address assigned by ISP) will be used to encrypt the crypto ACL and is defined by the command "set by the peers.

    Hope that helps.

  • 2 tunnels vpn site-to-site location A to B

    Hello

    Current:

    I have an ASA 5505 (8.2.x) deployed on a client site with a public ip address provided by the customer.

    I have a tunnel from site to site between us (site A) and client (site B).

    ASA (at the client) has been installed with 2 VLAN by default (one for outside, one for the Interior using the 2-7 ports).

    Future:

    The customer wants another tunnel from site to site for a separate project, but they want to use the same ASA but uses another port configured for a schema from a different ip address for this new project. (which means the same ip address public, but different vlan IP).

    My Actions:

    (A) my first reaction was that I could not do that, but since it's customer and I must find a way, if I can reconfigure client (site B) ASA to take a port and configure it to a vlan different (using the system of intellectual property for this project) and set up a second tunnel from site to site using this vlan?

    (B) can even reconfigure a port for a third vlan on this SAA? (customer ASA 5505, 8.2.x, per seat 10 credits).

    What is the best approach to accomplish this task?

    Thank you...

    It's a strange question - technically, you could - I think that the place where you will fall short is that it uses the same peer address at its end.  I don't think that it will eventually operate favorably... never tried.

    I don't really understand the need for "another site to site tunnel" however.  Theoretically, I could be wrong here, there is only need a tunnel of the phase 1 of IKE.  There may be several IKE tunnels phase 2, communicating through the tunnel at the same time, however.

    Why not let the equal relationship as it is, expand your (and his) internal/external cryptos and go from there.  8.4 ASA supports twice nat - which could be a solution if he has questions on its end.

    And to be honest, even the ASA 5505 that I helped set up were all on the remote site, and I'm sure that each of them exists only for the purposes of a single site to my organization.

    Perhaps explain WHY he wants to do what he wants to do it too?

  • Multiple VPN groups on the ASA firewall

    I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

    Thank you very much!

    Hello

    all you need to do is create another group strategy and attach it to a group of tunnel: -.

    internal vpnsales group policy

    attributes of the strategy of group vpnsales

    banner - VPN access for the sales team

    value x.x.x.x DNS server

    split tunnel political tunnelspecified

    Split-tunnel-network-list split-sales value

    address-pools sales-pool

    value by default-domain mydomain.com

    type tunnel-group vpnsales remote access

    tunnel-group vpnsales General-attributes

    authentication-server-group vpnsales

    Group Policy - by default-vpnsales

    vpnsales ipsec tunnel - group capital

    pre-share-key @.

    you will also create a map of the attribute named vpnsales for acs auth.

    Thank you

    Manish

  • ASA 5510 VPN - using a public IP address for the local network

    Hello, I have a problem which is probably very simple, but I can't seem to understand.

    I set up a site IPsec connection to another with a company, something I've done many times before without a problem. I use ASDM to configure this, because it is quick and painless, usually.

    We have one number of other site-to-site currently configured connections and works very well on this ASA, these are configured with the "Protected network - LAN" configured with the IP private of hosts within our network, we want to make available through the separate tunnels. This includes the configuration setting on our ASA for each connection to "guests aside ASA exempt from NAT.

    With this new link, however, the company asked us to use a public IP address for the host that we want to achieve through the tunnel. I don't know why, but they demand it. So I added a NAT rule for inside the host and set up the connection with the public IP address under "Local network". During the test to try to reach a host to their side, the tunnel didn't even try to open.

    What is the method here? I don't see where I'm wrong. I'm guessing that the 'host side ASA exempt from NAT' does not require for this, how if the ASA would know which internal host is the public IP address.

    Any ideas?

    Hi Leo,

    The steps are:

    1. Add the policy rule NAT for the specific host.

    2 - define the IP NAT as your LOCAL NETWORK address in the encryption settings.

    3 make sure that there is no rule NAT exempt for this host to the specific destination.

    What happens if you run a package tracer?

    Thank you.

  • cannot ping remote ip on ASA no firewall (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    some help me

    (Q) ping remote ip unable on ASA is not Firewall not on pc (VPN site to site on SAA) configired no proxy, icmp not inspect, no chance

    Note - I can ping PC but not the same subnet ip on ASA2 L3

    PC---> > ASA1 - ASA2<>

    Hi Matt,

    Let me answer your question in two points:

    • You cannot ping an ASA on another interface other than the one where you are connected to the ASA of.

    For example, ASA1 and ASA2 are connected through their interfaces 'outside '. ASA1 (or any other device on the external interface) can not ping/access ASA2 on his (ASA2) within the interface. The only time wherever this can be substituted is a tunnel VPN with the command "access management" configured for other interface, for example management-access inside

    • Traffic ASA1 ping to a remote client behind ASA2 won't over the VPN tunnel and as such is not encrypted. That's because ASA1 will forward traffic based on its routing table that probably this way through its 'outside' interface Except that traffic is allowed with the ASA2 (using the ACL), it will fail.

    We can do on the routers of sourcing our ping to another interface, but it will not work on the SAA.

Maybe you are looking for