How to Static Nat translation over IPSEC

How to Static Nat translation over IPSEC

am 10.10.2007 23:15:49 von sjohnson

I am trying to setup an ipsec tunnel. One of the requirements from the
people we are connecting to is we must appear to source the tunnel
from a public IP instead of the private ip of the box. I do not know
what model device they are using but I do know it is a checkpoint.
Ours is a Cisco ASA5505. Our config looks like this.

The other side uses a checkpoint and their hosts are also Nat'd. For
the purpose of this post I will call them Remote Peer1 and Remote
Peer2. Their Checkpoint VPN will be called Checkpoint Firewall

Remote Peer1 Static Nat to 2.2.2.2 Checkpoint
ASA5505 Our Local host Static Nat'd to 3.3.3.2
Remote Peer2 Static Nat to 2.2.2.3 2.2.2.1 3.3.3.1

Do I need to use Nat 0 still? I would think not because Nat 0 does not
nat. Is my config correct or am i missing something?

Thanks in advance,

Steve

interface Vlan1
nameif inside
security-level 100
ip address Private Address
!
interface Vlan2
nameif outside
security-level 0
ip address Public Address
!
access-list outside_in extended permit udp host Public Address host
207.218.190.2 eq isakmp
access-list outside_in extended permit ip host Remote Peer1 host
Cubs_Outside log
access-list outside_in extended permit ip host Remote Peer2 host
Cubs_Outside log
access-list outside_in extended deny ip any host Cubs_Outside log

access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer1
access-list From_Holtz extended permit ip host Cubs_Inside host Remote
Peer2

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) Cubs_Outside Cubs_Inside netmask
255.255.255.255
access-group outside_in in interface outside

crypto ipsec transform-set The_Client esp-3des esp-sha-hmac
crypto map The_Client 1 match address From_Holtz
crypto map The_Client 1 set pfs
crypto map The_Client 1 set peer Checkpoint Firewall
crypto map The_Client 1 set transform-set The_Client

crypto map The_Client interface outside

crypto isakmp enable outside

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 20
tunnel-group Checkpoint Firewall type ipsec-l2l
tunnel-group Checkpoint Firewall ipsec-attributes
pre-shared-key *