options for VPN

Discussion in 'Routing & Switching' started by hsnanua, Aug 10, 2011.

  1. hsnanua

    hsnanua New Member

    4
    0
    1
    Dear all,

    I have an issue. We have been told by our tutor, to find a solution for a scenario and i have been cracking my head.

    I have a Cisco Asa firewall (5505). I normally connect to a remote entity using IPSEC VPN. Now, the scenario is, the client (remote entity) wants to use public IP VPN tunnel instead of Private IP vpn...

    Question:

    1. What is the difference between public ip vpn and private ip vpn?
    2. Can the cisco ASA 5505 support public ip vpn?
    3. if so, how do we confiugure it?
    4.Are there any other options to this?

    PLease assist? I was looking at split tunneling and all... :(

    Thanks
     
  2. Rob1234

    Rob1234 Megabyte Poster Forum Leader

    940
    127
    114
    Have you tried going to a library they will have some great books on this subject? or maybe speak to your tutor afterall he is paid to help you.
     
    Certifications: A few.
    csx likes this.
  3. csx

    csx Megabyte Poster

    511
    6
    81
    Agree, I feel as if I would be doing someone else's work... and also this for your first post? rather nice...
     
    Certifications: A+, Network+, 70-271 & 70-272, CCENT, VCP5-DCV and CCNA
    WIP: Citrix
  4. steve_p1981

    steve_p1981 Byte Poster

    236
    5
    30
    i thought this forum was for advice. i personally don't know the answer but i would at least point him in the right direction if i did.
     
    Certifications: A+ 220-701 and 220-702
    WIP: none at current but poss 70-680 soon
  5. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    They did, they advised him to go to the library and read up on it.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  6. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    This forum is to help and help we shall!! 8)

    I could be really wrong here and interpreting the question wrong but it sounds like the tutor is asking for the crypto policy to be applied to the the outgoing interface (with the public IP) rather than a tunnel interface?

    The below configuration shows the general idea....

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 480
    crypto isakmp key PSK address 212.211.x.x
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 10 periodic
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPN_CMAP 1 ipsec-isakmp
    description Tunnel to 212.211.x.x
    set peer 212.211.x.x
    set security-association lifetime kilobytes 100000
    set transform-set ESP-3DES-SHA
    set pfs group2
    match address 100

    interface Dialer1
    description WAN_CONNECTION
    crypto map VPN_CMAP

    access-list 100 permit ip 10.172.3.0 0.0.0.255 10.171.3.0 0.0.0.255
    access-list 100 permit ip 10.172.3.0 0.0.0.255 host 212.211.x.x

    This is taken from one of my implementations but most of my other Site to sites are configured with Tunnel interfaces with private IP's configured on the tunnel at each end.....

    The config above is specific to my configuration to connect to an ISA server so it my not be the best to copy and paste! :D look up the commands (if you do not know them already) if this sounds right and looks like a possible answer to your worries! Hope this helps.

    Cheers
    Jon

    EDIT: Just seen that you are using an ASA anyway so the config wont work but the idea may still apply!
     
    Last edited: Aug 11, 2011
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  7. Rob1234

    Rob1234 Megabyte Poster Forum Leader

    940
    127
    114
    Sometimes the best way to help someone is to teach them to do things for themselves.
     
    Certifications: A few.
  8. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    But at the same time pointing someone in a "POSSIBLE" direction doesnt give them the answer outright, it gives them an option to follow rather than sitting there scratching their ..... head! :D
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  9. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    The Cisco VPN Client is used to allow a single remote worker connect from any location as long as they have access to the internet using IPSec L2TP with either certifcates or a pre shared key for authentication.

    A Site to Site VPN is used to connect a branch location to a head office infrastructure and should always be on so that any user in the branch office can access network resources.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  10. hsnanua

    hsnanua New Member

    4
    0
    1
    Thanks for all the views... I have not been going to the library since I have all the needed books at home. Perhaps I did not put the question in the best way. Ok, refer to this image.

    I am asked, if there is a way to produce a VPN using public IP address from the VPN router (which is a cisco ASA). The point below the ProServe router is all been NAT-ed to private ip address.

    The question is, : - is it still possible to make a vpn link from the vpn router using public ip address.

    Based on my research, (which I have done quite sometime now), there is three possiblities:

    1. There is no way
    2. Deploy a GRE router from the Proserve router to the VPN router thru the switch. And then deploy a VPN router.This is too troublesome, but possible. I need your comments on this.

    3. Another is to create a VPN from the proserve router directly to whoever is concern.

    option (1) is a dead end. Option (2) is complicated. Option (3) is more likely, but not the solution, since I am not in control of those routers.

    What do you think?

    Thank you..

    Ps. I noticed how we put the certs under the name. Hmm.. let me try that

    CISSP, CCNP (CCIE-written), CCVP, CCIP
    MSc. Telecommunications and IT (UK)

    Quote: He who asks is a fool for five minutes, but he who does not ask remains a fool forever.

    private ip vlan.png
     
    Last edited: Aug 11, 2011
  11. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Why can't you NAT a Public IP from the ProServer Router onto a spare interface on your Cisco ASA and then create the VPN directly to that?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  12. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Craigies idea is the better i would say.... or redesign the network so you are in control of it all! :lol:
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  13. hsnanua

    hsnanua New Member

    4
    0
    1
    I afree with Craige, NAT a public Ip from Proserver into a spare interface of my cisco ASA FW (VPN router).

    steps:

    1. DO a NAT outside for the Proserve router, with the access list too.
    2. Do a NAT inside on the ASA.
    3. Create FW directly from here.

    Am i missing a step here?

    Thanks!
     
  14. Rob1234

    Rob1234 Megabyte Poster Forum Leader

    940
    127
    114
    The quote is more aimed at questions on certification as this is a forum about certs not peoples homework, more than happy to help people who give something back to the forum not people who’s first post is a home work question.

    Nice certs you have their makes me think people at work are right when they say certs don't mean you know anything about the subject and judging by the question you need help with I think they might be right.
     
    Certifications: A few.
  15. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Yep thats about it.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  16. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Mate don't you be little my CCNA LOL :D
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  17. hsnanua

    hsnanua New Member

    4
    0
    1

    If that rocks your boat...sure
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.