Not possible IMO. You must configure NAT on the router. Even if ASA allows
you to send that traffic (which is not possible due to default anti-spoofing
rules), the crypto engine will take IP address form the interface not from
the translation.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/3/13 Amin <amin_at_axizo.com>
> 100% sure.
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 1:54 AM
>
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> Are you sure you have routing for 82.213.48.x network pointing to your ASA?
>
>
>
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> But I don�t have access to the edge router, any other options!!
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 1:46 AM
>
>
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> In that case you should NAT on the edge router. In case of NAT on the ASA
> this will trigger anti-spoofing behavior.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> Here the configuration
>
>
>
> ! 172.23.1.54 is the IP of the outside interface
>
> static (outside,outside) 82.213.48.101 172.23.1.54 netmask 255.255.255.255
>
>
>
> ! I permit everything to this translated ip
>
> access-list acl_in_inside extended permit ip any host 82.213.48.101
>
>
>
> But it doesn�t work?
>
>
>
> Regards,
>
> Amin
>
>
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 12:13 AM
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> Where do you want to translate? On ASA or on router? Either way should
> work.
> Just configure static translation of ASA's outside IP and connect to that
> Public IP address.
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> Hi experts,
>
> How I configure an ASA for VPN if no real IPs assigned to any interface, I
> have range of real that I can use for translation, but no reals to the
> interfeaces.
>
> How I can use one of these reals for the ASA privatesreal maping for
> itself.
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 14 2011 - 11:04:02 ART