I am trying to setup an ipsec tunnel. One of the requirements from the people we are connecting to is we must appear to source the tunnel from a public IP instead of the private ip of the box. I do not know what model device they are using but I do know it is a checkpoint. Ours is a Cisco ASA5505. Our config looks like this.
The other side uses a checkpoint and their hosts are also Nat'd. For the purpose of this post I will call them Remote Peer1 and Remote Peer2. Their Checkpoint VPN will be called Checkpoint Firewall
Remote Peer1 Static Nat to 2.2.2.2 Checkpoint ASA5505 Our Local host Static Nat'd to 3.3.3.2 Remote Peer2 Static Nat to 2.2.2.3 2.2.2.1 3.3.3.1
Do I need to use Nat 0 still? I would think not because Nat 0 does not nat. Is my config correct or am i missing something?
Thanks in advance,
Steve
interface Vlan1 nameif inside security-level 100 ip address Private Address ! interface Vlan2 nameif outside security-level 0 ip address Public Address ! access-list outside_in extended permit udp host Public Address host
207.218.190.2 eq isakmp access-list outside_in extended permit ip host Remote Peer1 host Cubs_Outside log access-list outside_in extended permit ip host Remote Peer2 host Cubs_Outside log access-list outside_in extended deny ip any host Cubs_Outside logaccess-list From_Holtz extended permit ip host Cubs_Inside host Remote Peer1 access-list From_Holtz extended permit ip host Cubs_Inside host Remote Peer2
global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) Cubs_Outside Cubs_Inside netmask
255.255.255.255 access-group outside_in in interface outsidecrypto ipsec transform-set The_Client esp-3des esp-sha-hmac crypto map The_Client 1 match address From_Holtz crypto map The_Client 1 set pfs crypto map The_Client 1 set peer Checkpoint Firewall crypto map The_Client 1 set transform-set The_Client
crypto map The_Client interface outside
crypto isakmp enable outside
crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 3600 crypto isakmp nat-traversal 20 tunnel-group Checkpoint Firewall type ipsec-l2l tunnel-group Checkpoint Firewall ipsec-attributes pre-shared-key *