1. Home
  2. Networking Firewalls
  3. How to Static Nat translation over IPSEC

How to Static Nat translation over IPSEC

I am trying to setup an ipsec tunnel. One of the requirements from the people we are connecting to is we must appear to source the tunnel from a public IP instead of the private ip of the box. I do not know what model device they are using but I do know it is a checkpoint. Ours is a Cisco ASA5505. Our config looks like this.

The other side uses a checkpoint and their hosts are also Nat'd. For the purpose of this post I will call them Remote Peer1 and Remote Peer2. Their Checkpoint VPN will be called Checkpoint Firewall

Remote Peer1 Static Nat to 2.2.2.2 Checkpoint ASA5505 Our Local host Static Nat'd to 3.3.3.2 Remote Peer2 Static Nat to 2.2.2.3 2.2.2.1 3.3.3.1

Do I need to use Nat 0 still? I would think not because Nat 0 does not nat. Is my config correct or am i missing something?

Thanks in advance,

Steve

interface Vlan1 nameif inside security-level 100 ip address Private Address ! interface Vlan2 nameif outside security-level 0 ip address Public Address ! access-list outside_in extended permit udp host Public Address host

207.218.190.2 eq isakmp access-list outside_in extended permit ip host Remote Peer1 host Cubs_Outside log access-list outside_in extended permit ip host Remote Peer2 host Cubs_Outside log access-list outside_in extended deny ip any host Cubs_Outside log

access-list From_Holtz extended permit ip host Cubs_Inside host Remote Peer1 access-list From_Holtz extended permit ip host Cubs_Inside host Remote Peer2

global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) Cubs_Outside Cubs_Inside netmask

255.255.255.255 access-group outside_in in interface outside

crypto ipsec transform-set The_Client esp-3des esp-sha-hmac crypto map The_Client 1 match address From_Holtz crypto map The_Client 1 set pfs crypto map The_Client 1 set peer Checkpoint Firewall crypto map The_Client 1 set transform-set The_Client

crypto map The_Client interface outside

crypto isakmp enable outside

crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 3600 crypto isakmp nat-traversal 20 tunnel-group Checkpoint Firewall type ipsec-l2l tunnel-group Checkpoint Firewall ipsec-attributes pre-shared-key *

Reply to
Newbie72
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.