Cisco ASA5505 VPN Tunnel Using Nat

I have been asked to setup a site-site VPN tunnel using IPSEC.
Building the tunnel is not a issue for me. However, the folks at the
remote site are requiring that we provide a public ip address for our
local host. which they will be connecting to. I have searched the
cisco.com site and have not found a easy explained solution. The
remote site wants a configuration simular to below

Remote Site VPN End Point: 1.1.1.1
Host Ip Address at remote site 2.2.2.1 and 2.2.2.2

Our site
VPN End Point: 3.3.3.3
Local Host which will be tunneling traffic: They are requiring this to
be a public ip. Currently we use RFC-1918 addresses which means we
will have to translate a public address to our private host addresses.

Can I simply setup a static NAT statement which translates the public
address to our private addresss as we are only using one host on our
side?Then do I set "match address" to the public IP?

Thanks,
Steve J

Re: Cisco ASA5505 VPN Tunnel Using Nat

On Aug 17, 9:34 am, Newbie72
wrote:
> I have been asked to setup a site-site VPN tunnel using IPSEC.
> Building the tunnel is not a issue for me. However, the folks at the
> remote site are requiring that we provide a public ip address for our
> local host. which they will be connecting to. I have searched the
> cisco.com site and have not found a easy explained solution. The
> remote site wants a configuration simular to below
>
> Remote Site VPN End Point: 1.1.1.1
> Host Ip Address at remote site 2.2.2.1 and 2.2.2.2
>
> Our site
> VPN End Point: 3.3.3.3
> Local Host which will be tunneling traffic: They are requiring this to
> be a public ip. Currently we use RFC-1918 addresses which means we
> will have to translate a public address to our private host addresses.
>
> Can I simply setup a static NAT statement which translates the public
> address to our private addresss as we are only using one host on our
> side?Then do I set "match address" to the public IP?
>
> Thanks,
> Steve J

Anbody got any suggestions?

Re: Cisco ASA5505 VPN Tunnel Using Nat

Newbie72 wrote:
> On Aug 17, 9:34 am, Newbie72
> wrote:
>> I have been asked to setup a site-site VPN tunnel using IPSEC.
>> Building the tunnel is not a issue for me. However, the folks at the
>> remote site are requiring that we provide a public ip address for our
>> local host. which they will be connecting to. I have searched the
>> cisco.com site and have not found a easy explained solution. The
>> remote site wants a configuration simular to below
>>
>> Remote Site VPN End Point: 1.1.1.1
>> Host Ip Address at remote site 2.2.2.1 and 2.2.2.2
>>
>> Our site
>> VPN End Point: 3.3.3.3
>> Local Host which will be tunneling traffic: They are requiring this to
>> be a public ip. Currently we use RFC-1918 addresses which means we
>> will have to translate a public address to our private host addresses.
>>
>> Can I simply setup a static NAT statement which translates the public
>> address to our private addresss as we are only using one host on our
>> side?Then do I set "match address" to the public IP?
>>
>> Thanks,
>> Steve J
>
> Anbody got any suggestions?
>

This is a lot easier than most people think. Just nat the inside to an
external IP.

static (inside,outside) 4.4.4.4 3.3.3.3 netmask 255.255.255.255

And then when you configure the ACLs for the VPN use the 4.4.4.4 as the
host on your side. And do not configure a NoNat ACL.

That's it.

Scott

Re: Cisco ASA5505 VPN Tunnel Using Nat

On Nov 4, 9:30 pm, Scott Stokes wrote:
> Newbie72 wrote:
> > On Aug 17, 9:34 am, Newbie72
> > wrote:
> >> I have been asked to setup a site-site VPN tunnel using IPSEC.
> >> Building the tunnel is not a issue for me. However, the folks at the
> >> remote site are requiring that we provide a public ip address for our
> >> local host. which they will be connecting to. I have searched the
> >> cisco.com site and have not found a easy explained solution. The
> >> remote site wants a configuration simular to below
>
> >> Remote Site VPN End Point: 1.1.1.1
> >> Host Ip Address at remote site 2.2.2.1 and 2.2.2.2
>
> >> Our site
> >> VPN End Point: 3.3.3.3
> >> Local Host which will be tunneling traffic: They are requiring this to
> >> be a public ip. Currently we use RFC-1918 addresses which means we
> >> will have to translate a public address to our private host addresses.
>
> >> Can I simply setup a static NAT statement which translates the public
> >> address to our private addresss as we are only using one host on our
> >> side?Then do I set "match address" to the public IP?
>
> >> Thanks,
> >> Steve J
>
> > Anbody got any suggestions?
>
> This is a lot easier than most people think. Just nat the inside to an
> external IP.
>
> static (inside,outside) 4.4.4.4 3.3.3.3 netmask 255.255.255.255
>
> And then when you configure the ACLs for the VPN use the 4.4.4.4 as the
> host on your side. And do not configure a NoNat ACL.
>
> That's it.
>
> Scott- Hide quoted text -
>
> - Show quoted text -

I should have went back and closed this thread. you are right though.
It ended up being alot easier than I thought.

I ran out time and threw caution to the wind a week or 2 ago and did
just as you suggested and it now works flawlessly. Thanks for the
reply.