I am trying to setup our ASA 5510 to allow IPsec(IKEv1) access to the inside network through VPN. The hard part about our setup is the outside interface does not have a public IP address assigned to it.
Current setup:
Router -> ASA
In between the Router and ASA is a private network. All public IPs are assigned from the ASA to the host on the DMZ.
So I first attempted setting up one of the free public IPs on the ASA. This was setup with a sub interface of 2 and vlan 1 on the outside interface. Then I setup VPN to work over the new interface and that didn’t seem to work.
So I wasn’t sure what the best way of setting up remote VPN access with the ASA when the ASA doesn’t have any public IPs. Any thoughts would be very helpful.
Best Answer
Your topology is Router -> ASA and you need the ASA to have an effective public IP for VPN clients to connect to it.
This requires a one-to-one NAT to give the ASA an effective public IP.
Cisco has a pretty good rundown on how to configure NAT on their routers: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
If you don't have a Cisco router then you'll need to get the documentation for configuring static or one-to-one NAT on the router. If you don't control the router you will need to request a one-to-one NAT from the administrator who does.