VPN IP Addressing Problem

You need to static NAT another public IP to the ASA's private IP. I think you'll also need to set the phase 1 ID of the VPN to that public IP; it probably defaults to the ASA's private IP, which won't match what the VPN clients think they're connecting to.

My issue is that I do not have another public IP to use. I was given a block of IPs and they are used up with my public interface on the router, then the NAT for the mail server and PAT for all other traffic.

Is there any way around needing another public IP?

Say i was given 10.10.10.8 /29 as my public IP block. Here is what I did...

Internet Gateway (10.10.10.9)-----(10.10.10.10/30) Router (Private IP)

------ (private IP) ASA Static NAT to mail server 10.10.10.14 /30 and PAT for traffic 10.10.10.13 /30 (private IP) ----LAN

Could I use the network address for the the 10.10.10.12 /30 network? I know that it is bad practice but will the ASA let me use it? Would there be any reprocussions?

Thanks.

Barry Margol> >

Rather than using one of your IP's for the pat pool use the outside interface (asuming it's a public). That will free up an IP for your static.

clear xlate no global (outside) 1 clear xlate global (outside) 1 interface

I still will be one short won't I?

Because of the

(public) Router (private IP) ------ (Private IP) ASA (Private IP) ---- LAN

If I took the public IP I am using for PAT and applied it to the interface, I would need an IP in the same subnet (also Public) to apply to the inside interface of the Router (currently Private). The IP in that same subnet is already being used for my mail server (static NAT).

The only thing I have left is if I use the network address which Cisco equipment will not even let you use.

I am assigned the 10.10.10.8 /29 subnet

Internet Gateway (10.10.10.9)-----(10.10.10.10/30) Router (Private IP)

------ (private IP) ASA Static NAT to mail server 10.10.10.14 /30 and PAT for traffic 10.10.10.13 /30 (private IP) ----LAN

I guess I have to get another public IP for my VPNs, then I can make the PTP connection between the router and ASA a public IP network and can use the ASA interface for both the PAT and the VPN address, leaving me with my other public IP to static NAT for my mail server.

Unless anyone can come up with something else.... grrrrrrr

Brian V wrote:

Please don't top post. It makes following a thread very hard.

The "router", is it dual ethernet or using a serial on the outside?

If it's a serial do the following: Gateway gets IP #1 Router outside interface gets the command ip unnumbered and assign your #2 public to the inside interface. ASA gets IP #3 on the outside ASA gets IP#4 for your mail server ASA uses IP #3 for it's PAT pool You still got 2 usable IP left over...see no problems there

If the router is dual ethernet, why do you need it? Why can't you just use the ASA? Gateway gets IP #1 ASA outside gets IP #2 Mail server Gets IP #3 ASA uses IP # 2 for PAT.

Now we got 3 usables left...again, see no problems

I was not aware of the IP Unnumbered. I will try that. Though the gateway is actually at my provider. I am not sure if that will cause a breakdown with routing on their end or not. I will try it out after everyone leaves :)

Thanks.

Brian V wrote:

Don't forget to change your default route on the router. Right now you most likely have: ip route 0.0.0.0 0.0.0.0 you need to change it to: ip route 0.0.0.0 0.0.0.0 S0/0 (or whatever your serial interface is).