Hi, I am a Active Directory / eMail / server guy who's inherited a rather complex Cisco infrastructure to manage (other guy left, they won't replace him) and I have a question about site-to-site VPN.
We have 3 offices, the main office has a Cisco ASA 5510 running version 8 and two smaller offices with PIX 506E version 6. My boss wants me to do a site-to-site VPN between the 3 locations, with HQ as the hub. The 2 remote offices have the outside interface of the PIX connected directly to the Cisco router that AT&T provided and manages, however the HQ office has a FatPipe Warp between the Cisco router and the ASA. The FatPipe is doing NAT for 3 different internet circuits and the IP address between the FatPipe and the ASA is a 172.16 address, so effectively I'm going to be double-natting (I've been researching).
I believe I am going to need the NAT transparency option enabled in the ASA, based on the docs from Cisco.
I've located all the Cisco documentation on performing a site to site VPN between PIX and ASA, but all the documentation assumes the firewall outside interface connects directly to the public side.
My question is this (and I am sure I might have others):
When I configure the VPN connection from a remote office it is asking for the public IP on the other end. I assume I need to assign a public IP in the FatPipe and map it to an internal IP (172 address), should I be mapping that public IP to the ASA outside interface?
internet --- fatpipe (lan 172.16.0.1) --- asa ( outside 172.16.0.250 : inside 192.168.0.250) --- inside network
thanks in advance for any help you can provide.
Jim
We have 3 offices, the main office has a Cisco ASA 5510 running version 8 and two smaller offices with PIX 506E version 6. My boss wants me to do a site-to-site VPN between the 3 locations, with HQ as the hub. The 2 remote offices have the outside interface of the PIX connected directly to the Cisco router that AT&T provided and manages, however the HQ office has a FatPipe Warp between the Cisco router and the ASA. The FatPipe is doing NAT for 3 different internet circuits and the IP address between the FatPipe and the ASA is a 172.16 address, so effectively I'm going to be double-natting (I've been researching).
I believe I am going to need the NAT transparency option enabled in the ASA, based on the docs from Cisco.
I've located all the Cisco documentation on performing a site to site VPN between PIX and ASA, but all the documentation assumes the firewall outside interface connects directly to the public side.
My question is this (and I am sure I might have others):
When I configure the VPN connection from a remote office it is asking for the public IP on the other end. I assume I need to assign a public IP in the FatPipe and map it to an internal IP (172 address), should I be mapping that public IP to the ASA outside interface?
internet --- fatpipe (lan 172.16.0.1) --- asa ( outside 172.16.0.250 : inside 192.168.0.250) --- inside network
thanks in advance for any help you can provide.
Jim