How about VPN cluster? I think Tyson brought this up before. If that range is being routed to firewall, cluster may allow this (assuming you have security plus on your device or a 5520 and above). Otherwise, RFC 1918 addressing on the ASA usually requires NAT on edge router as Piotr mentioned.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805fda25.shtml
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Piotr Matusiak
Sent: Monday, March 14, 2011 6:04 AM
To: Amin
Cc: ccielab_at_groupstudy.com
Subject: Re: VPN on an ASA with nor real IPs on its interfaces.
Not possible IMO. You must configure NAT on the router. Even if ASA allows you to send that traffic (which is not possible due to default anti-spoofing rules), the crypto engine will take IP address form the interface not from the translation.
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� - Albert Einstein
2011/3/13 Amin <amin_at_axizo.com>
> 100% sure.
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 1:54 AM
>
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> Are you sure you have routing for 82.213.48.x network pointing to your ASA?
>
>
>
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> But I don�t have access to the edge router, any other options!!
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 1:46 AM
>
>
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> In that case you should NAT on the edge router. In case of NAT on the
> ASA this will trigger anti-spoofing behavior.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough�
> - Albert Einstein
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> Here the configuration
>
>
>
> ! 172.23.1.54 is the IP of the outside interface
>
> static (outside,outside) 82.213.48.101 172.23.1.54 netmask
> 255.255.255.255
>
>
>
> ! I permit everything to this translated ip
>
> access-list acl_in_inside extended permit ip any host 82.213.48.101
>
>
>
> But it doesn�t work?
>
>
>
> Regards,
>
> Amin
>
>
>
>
>
> *From:* Piotr Matusiak [mailto:pitt2k_at_gmail.com]
> *Sent:* Monday, March 14, 2011 12:13 AM
> *To:* Amin
> *Cc:* ccielab_at_groupstudy.com
> *Subject:* Re: VPN on an ASA with nor real IPs on its interfaces.
>
>
>
> Where do you want to translate? On ASA or on router? Either way should
> work.
> Just configure static translation of ASA's outside IP and connect to
> that Public IP address.
>
> Regards,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough�
> - Albert Einstein
>
> 2011/3/13 Amin <amin_at_axizo.com>
>
> Hi experts,
>
> How I configure an ASA for VPN if no real IPs assigned to any
> interface, I have range of real that I can use for translation, but no
> reals to the interfeaces.
>
> How I can use one of these reals for the ASA privatesreal maping for
> itself.
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 14 2011 - 12:23:06 ART